Skip to main content

Pretix CVE-2026-2452

MEDIUM
Dynamic Variable Evaluation (CWE-627)
2026-02-16 655498c3-6ec5-4f0b-aea6-853b334d05a6
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Mar 12, 2026 - 17:29 nvd
Patch available
CVE Published
Feb 16, 2026 - 11:15 nvd
MEDIUM 6.5

DescriptionCVE.org

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug:

It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin.

Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/  file.

AnalysisAI

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive system data including database credentials and API keys through specially crafted placeholder syntax that bypasses existing validation controls. An attacker with email template editing permissions can leverage this vulnerability to access confidential configuration information from the system. A patch is available to address the ineffective placeholder sanitization mechanism.

Technical ContextAI

Affects Newsletters. Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug:

It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

More in Pretix

View all
CVE-2024-27447 CRITICAL
9.8 Feb 26

pretix before 2024.1.1 mishandles file validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely ex

CVE-2026-57532 HIGH
8.8 Jun 25

Stored cross-site scripting in Pretix's PDF ticket and badge layout editor allows one backend user to inject JavaScript

CVE-2023-44464 HIGH
7.8 Sep 29

pretix before 2023.7.2 allows Pillow to parse EPS files. Rated high severity (CVSS 7.8), this vulnerability is no authen

CVE-2026-13602 HIGH
7.7 Jul 01

Privilege escalation to full account takeover in pretix (open-source event ticketing) and its payment integration plugin

CVE-2023-27891 HIGH
7.5 Mar 06

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. Rated high severity (CVSS

CVE-2024-8113 HIGH
7.2 Aug 23

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tag

CVE-2026-2451 MEDIUM
6.5 Feb 16

Information disclosure in Pretix email template processing allows authenticated backend users to extract sensitive syste

CVE-2026-2415 MEDIUM
5.9 Feb 16

Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information

CVE-2026-5600 MEDIUM
5.5 Apr 08

Pretix 2025 and 2026 versions contain an API endpoint authorization bypass that returns all check-in events for an organ

CVE-2026-13225 MEDIUM
5.3 Jun 25

HTML injection on pretix's individual ticket confirmation page allows unsanitized email address content to execute arbit

CVE-2023-44463 MEDIUM
5.3 Oct 02

An issue was discovered in pretix before 2023.7.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely expl

CVE-2026-11764 LOW
3.6 Jun 09

Gift card secret exposure in pretix event ticketing software allows a highly privileged user who lacks explicit gift car

Share

CVE-2026-2452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy