Description
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained two security-relevant
bugs:



*
It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.
This way, an attacker with the ability to control email templates
(usually every user of the pretix backend) could retrieve sensitive
information from the system configuration, including even database
passwords or API keys. pretix does include mechanisms to prevent the usage of such
malicious placeholders, however due to a mistake in the code, they were
not fully effective for the email subject.




*
Placeholders in subjects and plain text bodies of emails were
wrongfully evaluated twice. Therefore, if the first evaluation of a
placeholder again contains a placeholder, this second placeholder was
rendered. This allows the rendering of placeholders controlled by the
ticket buyer, and therefore the exploitation of the first issue as a
ticket buyer. Luckily, the only buyer-controlled placeholder available
in pretix by default (that is not validated in a way that prevents the
issue) is {invoice_company}, which is very unusual (but not
impossible) to be contained in an email subject template. In addition
to broadening the attack surface of the first issue, this could
theoretically also leak information about an order to one of the
attendees within that order. However, we also consider this scenario
very unlikely under typical conditions.


Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/  file.
Published: 2026-02-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data leakage
Action: Patch promptly
AI Analysis

Impact

Emails sent by pretix can include placeholders that expand with customer data. A vulnerability allows attackers to craft placeholder names that access internal files, revealing database passwords, API keys, or other secrets via the email subject and body. The bug arises because untrusted placeholders are evaluated twice and the sanitization for malicious names is incomplete, enabling information leakage to users who can edit email templates or to ticket buyers who control limited placeholders such as {invoice_company}. The flaw therefore permits the exfiltration of highly confidential configuration data and constitutes a CWE-627 lack of authorization boundary vulnerability.

Affected Systems

Pretix installations that support the email template feature are potentially affected. The product in question is pretix by pretix. No specific version range is provided in the CVE, so all versions that use the template system should be examined for the applied patch.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability is in the high severity range. The EPSS score is below 1% and the issue is not listed in the CISA KEV catalog, indicating a low current exploitation probability. However, the attack can be executed by any user who can edit templates in the backend, and to a limited extent by ticket buyers who can set certain placeholders. Successful exploitation leads to disclosure of database credentials, API keys, and potentially other system configuration data, impacting confidentiality but not integrity or availability directly.

Generated by OpenCVE AI on April 18, 2026 at 17:59 UTC.

Remediation

Vendor Workaround

Limit backend access to trusted users, do not use user-controlled variables in the email template subjects.

OpenCVE Recommended Actions

  • Apply the latest pretix release that contains the placeholder sanitization fix.
  • Restrict backend access to trusted administrators only and avoid using user‑controlled variables in email subject templates.
  • Rotate all credentials stored in the pretix.cfg file, such as database passwords and API keys, to reduce the impact of any leaked secrets.

Generated by OpenCVE AI on April 18, 2026 at 17:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r8p8-qw9w-j9qv pretix unsafely evaluates variables in emails
History

Fri, 13 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 17 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix pretix
Vendors & Products Pretix
Pretix pretix

Mon, 16 Feb 2026 10:45:00 +0000

Type Values Removed Values Added
Description Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: * It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for the email subject. * Placeholders in subjects and plain text bodies of emails were wrongfully evaluated twice. Therefore, if the first evaluation of a placeholder again contains a placeholder, this second placeholder was rendered. This allows the rendering of placeholders controlled by the ticket buyer, and therefore the exploitation of the first issue as a ticket buyer. Luckily, the only buyer-controlled placeholder available in pretix by default (that is not validated in a way that prevents the issue) is {invoice_company}, which is very unusual (but not impossible) to be contained in an email subject template. In addition to broadening the attack surface of the first issue, this could theoretically also leak information about an order to one of the attendees within that order. However, we also consider this scenario very unlikely under typical conditions. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/  file.
Title Unsafe variable evaluation in email templates
Weaknesses CWE-627
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red'}

Subscriptions

Pretix Pretix
cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-02-17T17:06:39.418Z

Reserved: 2026-02-12T17:02:46.966Z

Link: CVE-2026-2415

cve-icon Vulnrichment

Updated: 2026-02-17T16:43:13.482Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-16T11:15:56.047

Modified: 2026-03-13T12:47:32.733

Link: CVE-2026-2415

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses