CVE-2026-2451
Received Received - Intake
Information Disclosure via Insecure Placeholder Handling in pretix Emails

Publication date: 2026-02-16

Last updated on: 2026-03-13

Assigner: rami.io

Description
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfgΒ file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-03-13
Generated
2026-05-07
AI Q&A
2026-02-16
EPSS Evaluated
2026-05-05
NVD
CVE-2026-2451
EUVD
EUVD-2026-6096
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pretix pretix From 4.16.0 (inc) to 2026.1.1 (exc)
pretix double_opt_in_step to 1.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-627 In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in pretix's email template system, where placeholders in emails are replaced with customer data. An attacker who can control email templates can use specially crafted placeholder names to exfiltrate sensitive system information.

For example, using a placeholder like {{event.__init__.__code__.co_filename}} allows an attacker to retrieve sensitive data such as database passwords or API keys from the system configuration.

Although pretix includes mechanisms to block malicious placeholders, a coding mistake made these protections ineffective for this plugin.


How can this vulnerability impact me? :

If exploited, this vulnerability can lead to the exposure of sensitive information including database passwords and API keys.

An attacker with access to the pretix backend user interface could extract confidential system configuration data, potentially compromising the entire system's security.

As a precaution, it is recommended to rotate all passwords and API keys stored in the pretix configuration file after addressing this vulnerability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should update your pretix installation to the latest security release as soon as possible.

Additionally, it is recommended to rotate all passwords and API keys contained in your pretix.cfg file to prevent potential misuse of leaked credentials.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart