CVE-2026-2451

Name of the Vulnerable Software and Affected Versions pretix (affected versions not specified)

Description The software allows the use of placeholders in email templates that are populated with customer data. A flaw exists where specially crafted placeholder names, such as {{event. init . code .co filename}}, can be used to extract information from the pretix system. An attacker who can control email templates, typically any user of the pretix backend, could potentially retrieve sensitive information from the system configuration, including database passwords and API keys. Existing preventative mechanisms within pretix were not fully effective in this instance.

Recommendations Rotate all passwords and API keys contained in your pretix.cfg file.