CVE-2026-2415
Received Received - Intake
Information Disclosure via Improper Placeholder Handling in pretix Emails

Publication date: 2026-02-16

Last updated on: 2026-03-13

Assigner: rami.io

Description
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for the email subject. * Placeholders in subjects and plain text bodies of emails were wrongfully evaluated twice. Therefore, if the first evaluation of a placeholder again contains a placeholder, this second placeholder was rendered. This allows the rendering of placeholders controlled by the ticket buyer, and therefore the exploitation of the first issue as a ticket buyer. Luckily, the only buyer-controlled placeholder available in pretix by default (that is not validated in a way that prevents the issue) is {invoice_company}, which is very unusual (but not impossible) to be contained in an email subject template. In addition to broadening the attack surface of the first issue, this could theoretically also leak information about an order to one of the attendees within that order. However, we also consider this scenario very unlikely under typical conditions. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ Β file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-03-13
Generated
2026-05-07
AI Q&A
2026-02-16
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2415
EUVD
EUVD-2026-6097
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pretix pretix From 4.16.0 (inc) to 2026.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-627 In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


Can you explain this vulnerability to me?

This vulnerability involves the email templating system in pretix, where placeholders in emails are replaced with customer data. Two security-relevant bugs were found:

  • An attacker controlling email templates (usually any pretix backend user) could use specially crafted placeholder names to exfiltrate sensitive system information, such as database passwords or API keys.
  • Placeholders in email subjects and plain text bodies were evaluated twice, allowing a ticket buyer to exploit the first issue by injecting placeholders that get rendered in the second evaluation. This broadens the attack surface and could theoretically leak order information to attendees.

Although pretix has mechanisms to prevent malicious placeholders, these were not fully effective for email subjects, and the buyer-controlled placeholder that could be exploited is rare in email subjects.


How can this vulnerability impact me? :

This vulnerability can lead to the leakage of sensitive information from the pretix system, including database passwords and API keys, if an attacker can control email templates.

It also increases the risk that order information could be leaked to unintended recipients, such as other attendees, although this scenario is considered unlikely.

Due to these risks, it is recommended to rotate all passwords and API keys contained in the pretix configuration file as a precaution.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, it is recommended to rotate all passwords and API keys contained in your pretix.cfg configuration file.

This precaution helps to prevent potential exfiltration of sensitive information such as database passwords or API keys that could have been exposed due to the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart