CVE-2026-2452

{"id": "CVE-2026-2452", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Red", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-16T11:15:56.420", "references": [{"url": "https://pretix.eu/about/en/blog/20260216-release-2026-1-1/", "tags": ["Patch", "Third Party Advisory"], "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "655498c3-6ec5-4f0b-aea6-853b334d05a6", "description": [{"lang": "en", "value": "CWE-627"}]}], "descriptions": [{"lang": "en", "value": "Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}\n is used in an email template, it will be replaced with the buyer's \nname for the final email. This mechanism contained a security-relevant bug:\n\nIt was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event.__init__.__code__.co_filename}}.\n This way, an attacker with the ability to control email templates \n(usually every user of the pretix backend) could retrieve sensitive \ninformation from the system configuration, including even database \npasswords or API keys. pretix does include mechanisms to prevent the usage of such \nmalicious placeholders, however due to a mistake in the code, they were \nnot fully effective for this plugin.\n\nOut of caution, we recommend that you rotate all passwords and API keys contained in your pretix.cfg https://docs.pretix.eu/self-hosting/config/ \u00a0file."}, {"lang": "es", "value": "Los correos electr\u00f3nicos enviados por pretix pueden utilizar marcadores de posici\u00f3n que se rellenar\u00e1n con datos del cliente. Por ejemplo, cuando se utiliza {name} en una plantilla de correo electr\u00f3nico, se reemplazar\u00e1 con el nombre del comprador para el correo electr\u00f3nico final. Este mecanismo conten\u00eda un error de seguridad relevante:\n\nEra posible exfiltrar informaci\u00f3n sobre el sistema pretix a trav\u00e9s de nombres de marcadores de posici\u00f3n especialmente dise\u00f1ados, como {{event.__init__.__code__.co_filename}}. De esta manera, un atacante con la capacidad de controlar plantillas de correo electr\u00f3nico (normalmente cualquier usuario del backend de pretix) podr\u00eda recuperar informaci\u00f3n sensible de la configuraci\u00f3n del sistema, incluyendo incluso contrase\u00f1as de base de datos o claves API. pretix s\u00ed incluye mecanismos para evitar el uso de tales marcadores de posici\u00f3n maliciosos, sin embargo, debido a un error en el c\u00f3digo, no fueron completamente efectivos para este plugin.\n\nPor precauci\u00f3n, recomendamos que rote todas las contrase\u00f1as y claves API contenidas en su archivo pretix.cfg https://docs.pretix.eu/self-hosting/config/."}], "lastModified": "2026-03-02T20:24:35.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pretix:pretix:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "676E56F1-348F-410C-BFDD-9124BD51E34B", "versionEndExcluding": "2026.1.1", "versionStartIncluding": "4.16.0"}], "operator": "OR"}]}], "sourceIdentifier": "655498c3-6ec5-4f0b-aea6-853b334d05a6"}