CVE-2026-2452

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ file.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://pretix.eu/about/en/blog/20260216-release-2026-1-1/	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pretix:newsletters::::::pretix::*
	cpe:2.3:a:pretix:newsletters:2.0.0:::::pretix::
	cpe:2.3:a:pretix:pretix::::::::

History

No history.

Information

Published : 2026-02-16 11:15

Updated : 2026-03-12 17:29

NVD link : CVE-2026-2452

Mitre link : CVE-2026-2452

CVE.ORG link : CVE-2026-2452

JSON object : View

Products Affected

pretix

pretix
newsletters

CWE

CWE-627

Dynamic Variable Evaluation

{"id": "CVE-2026-2452", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Red", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-16T11:15:56.420", "references": [{"url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/", "tags": ["Patch", "Third Party Advisory"], "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "description": [{"lang": "en", "value": "CWE-627"}]}], "descriptions": [{"lang": "en", "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will be replaced with the buyer's \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."}, {"lang": "es", "value": "Los correos electr\u00f3nicos enviados por pretix pueden utilizar marcadores de posici\u00f3n que se rellenar\u00e1n con datos del cliente. Por ejemplo, cuando se utiliza {name} en una plantilla de correo electr\u00f3nico, se reemplazar\u00e1 con el nombre del comprador para el correo electr\u00f3nico final. Este mecanismo conten\u00eda un error de seguridad relevante:\n\nEra posible exfiltrar informaci\u00f3n sobre el sistema pretix a trav\u00e9s de nombres de marcadores de posici\u00f3n especialmente dise\u00f1ados, como {{event.__init__.__code__.co_filename}}. De esta manera, un atacante con la capacidad de controlar plantillas de correo electr\u00f3nico (normalmente cualquier usuario del backend de pretix) podr\u00eda recuperar informaci\u00f3n sensible de la configuraci\u00f3n del sistema, incluyendo incluso contrase\u00f1as de base de datos o claves API. pretix s\u00ed incluye mecanismos para evitar el uso de tales marcadores de posici\u00f3n maliciosos, sin embargo, debido a un error en el c\u00f3digo, no fueron completamente efectivos para este plugin.\n\nPor precauci\u00f3n, recomendamos que rote todas las contrase\u00f1as y claves API contenidas en su archivo pretix.cfg https://docs.pretix.eu/self-hosting/config/."}], "lastModified": "2026-03-12T17:29:01.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pretix:newsletters:*:*:*:*:*:pretix:*:*", "vulnerable": true, "matchCriteriaId": "D9C0752B-D6CB-429E-BB2A-F0B9381AE7CF", "versionEndExcluding": "1.6.3"}, {"criteria": "cpe:2.3:a:pretix:newsletters:2.0.0:*:*:*:*:pretix:*:*", "vulnerable": true, "matchCriteriaId": "B4F6FD9A-DA1C-4943-82E8-F4B657FAEDB6"}, {"criteria": "cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "676E56F1-348F-410C-BFDD-9124BD51E34B", "versionEndExcluding": "2026.1.1", "versionStartIncluding": "4.16.0"}], "operator": "OR"}]}], "sourceIdentifier": "655498c3-6ec5-4f0b-aea6-853b334d05a6"}