CVE-2026-2452

CVSS v4.0

7.5

Vector

AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Red

Name of the Vulnerable Software and Affected Versions pretix (affected versions not specified)

Description The software allows the use of placeholders in email templates that are populated with customer data. A flaw exists where specially crafted placeholder names, such as

{{event. init . code .co filename}}

, can be used to extract information from the pretix system. An attacker who can control email templates, typically any user of the pretix backend, could potentially retrieve sensitive information from the system configuration, including database passwords and API keys. Existing preventative mechanisms within pretix were not fully effective in mitigating this issue.

Recommendations Rotate all passwords and API keys contained in your pretix.cfg file.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-627

Related Identifiers

CVE-2026-2452

Affected Products

Pretix

CVE-2026-2452

Weakness Enumeration

Related Identifiers

Affected Products

References · 5