CVE-2026-2452
Received Received - Intake
Information Disclosure via Insecure Placeholder Handling in pretix Emails

Publication date: 2026-02-16

Last updated on: 2026-03-12

Assigner: rami.io

Description
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ Β file.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2452
EUVD
EUVD-2026-6095
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
pretix pretix From 4.16.0 (inc) to 2026.1.1 (exc)
pretix newsletters to 1.6.3 (exc)
pretix newsletters 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-627 In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the pretix system's email template mechanism, which uses placeholders to insert customer data into emails. An attacker who can control email templates (usually any user of the pretix backend) can craft malicious placeholders such as {{event.__init__.__code__.co_filename}} to exfiltrate sensitive system information.

Due to a bug, the protections designed to block such malicious placeholders were not fully effective, allowing attackers to retrieve sensitive data including database passwords and API keys.

Impact Analysis

An attacker exploiting this vulnerability can gain unauthorized access to sensitive configuration information such as database passwords and API keys.

This can lead to further compromise of the system, including unauthorized data access, data breaches, or manipulation of the pretix system.

As a precaution, it is recommended to rotate all passwords and API keys stored in the pretix configuration file after addressing this vulnerability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, it is recommended to rotate all passwords and API keys contained in your pretix.cfg configuration file.

This is necessary because the vulnerability allows attackers with control over email templates to exfiltrate sensitive system information, including database passwords and API keys.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2452. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart