Description
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained a security-relevant bug:

It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.
This way, an attacker with the ability to control email templates
(usually every user of the pretix backend) could retrieve sensitive
information from the system configuration, including even database
passwords or API keys. pretix does include mechanisms to prevent the usage of such
malicious placeholders, however due to a mistake in the code, they were
not fully effective for this plugin.

Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/  file.
Published: 2026-02-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Emails in pretix use placeholders that can be populated with user data. The bug allows attackers who can create or edit email templates to place arbitrary Python attributes, causing the system to expose sensitive configuration details such as database credentials and API keys. This results in full disclosure of critical secrets stored in the pretix.cfg file.

Affected Systems

pretix’s newsletter component (pretix-newsletter) is affected. All versions of the pretix platform that include the newsletter plugin before the 2026.1.1 release are vulnerable. The vulnerability is present in versions such as 2.0.0 and earlier, and any instance where the newsletter plugin is enabled.

Risk and Exploitability

The CVSS score of 7.5 indicates high risk, yet the EPSS score is below 1%, suggesting the chance of exploitation is currently low. The flaw is not listed in the CISA KEV catalog, meaning there is no confirmed public exploitation. Attackers would need access to the backend to alter templates, thus the risk is greatest for instances with lax administrative controls. If the vulnerability is exploited, attackers could read the entire pretix.cfg file, leading to credential compromise and potentially full system takeover.

Generated by OpenCVE AI on April 17, 2026 at 19:07 UTC.

Remediation

Vendor Workaround

Limit backend access to trusted users, do not use user-controlled variables in the email templates.

OpenCVE Recommended Actions

  • Upgrade pretix to the latest release (2026.1.1 or newer) where the placeholder validation issue is fixed.
  • Restrict backend editor access so that only trusted administrators can create or modify newsletter templates.
  • Ensure that templates do not contain user‑controlled variables; use safe placeholders only or disable the newsletter plugin if not required.
  • Rotate all passwords and API keys listed in the pretix.cfg configuration file to mitigate potential credential compromise.

Generated by OpenCVE AI on April 17, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Pretix newsletters
CPEs cpe:2.3:a:pretix:newsletters:*:*:*:*:*:pretix:*:*
cpe:2.3:a:pretix:newsletters:2.0.0:*:*:*:*:pretix:*:*
Vendors & Products Pretix newsletters

Mon, 02 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Pretix pretix
CPEs cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*
Vendors & Products Pretix pretix
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Tue, 17 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Pretix
Pretix pretix-newsletter
Vendors & Products Pretix
Pretix pretix-newsletter

Mon, 16 Feb 2026 10:45:00 +0000

Type Values Removed Values Added
Description Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name} is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}. This way, an attacker with the ability to control email templates (usually every user of the pretix backend) could retrieve sensitive information from the system configuration, including even database passwords or API keys. pretix does include mechanisms to prevent the usage of such malicious placeholders, however due to a mistake in the code, they were not fully effective for this plugin. Out of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/  file.
Title Unsafe variable evaluation in email templates
Weaknesses CWE-627
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/RE:L/U:Red'}

Subscriptions

Pretix Newsletters Pretix Pretix-newsletter
cve-icon MITRE

Status: PUBLISHED

Assigner: rami.io

Published:

Updated: 2026-02-17T17:06:21.998Z

Reserved: 2026-02-13T09:57:35.371Z

Link: CVE-2026-2452

cve-icon Vulnrichment

Updated: 2026-02-17T16:43:10.936Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-16T11:15:56.420

Modified: 2026-03-12T17:29:01.843

Link: CVE-2026-2452

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:15:26Z

Weaknesses