CVE-2026-2415
📋 TL;DR
This CVE describes two template injection vulnerabilities in pretix email templates. Attackers with backend access can exfiltrate sensitive system configuration data including database passwords and API keys. Ticket buyers could also potentially exploit these vulnerabilities under specific conditions.
💻 Affected Systems
- pretix
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via exfiltration of database credentials and API keys, leading to data breach and unauthorized system access.
Likely Case
Privileged users with template editing access exfiltrating configuration secrets, potentially leading to data exposure.
If Mitigated
Limited exposure if proper access controls restrict template editing to trusted administrators only.
🎯 Exploit Status
Exploitation requires authenticated access to pretix backend for template editing. The vulnerability is well-documented in the advisory with specific payload examples.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.1.1
Vendor Advisory: https://pretix.eu/about/en/blog/20260216-release-2026-1-1/
Restart Required: Yes
Instructions:
1. Update pretix to version 2026.1.1 or later. 2. Restart the pretix service. 3. Rotate all passwords and API keys in pretix.cfg as recommended.
🔧 Temporary Workarounds
Restrict Template Editing
allLimit email template editing permissions to only trusted administrators.
Disable Email Placeholders
allRemove or disable placeholder functionality in email templates if not required.
🧯 If You Can't Patch
- Immediately rotate all database passwords and API keys in pretix.cfg configuration file
- Implement strict access controls to limit who can edit email templates in the backend
🔍 How to Verify
Check if Vulnerable:
Check pretix version - if below 2026.1.1, system is vulnerable.Check Version:
Check pretix version in admin interface or via package manager (e.g., pip show pretix)Verify Fix Applied:
Verify pretix version is 2026.1.1 or later and test that malicious placeholders like {{event.__init__.__code__.co_filename}} no longer work in email subjects.📡 Detection & Monitoring
Log Indicators:
- Unusual placeholder patterns in email template logs
- Multiple template evaluation errors
- Suspicious email generation patterns
Network Indicators:
- Unusual outbound connections following email generation
- Data exfiltration patterns from pretix server
SIEM Query:
Search for email template modification events followed by unusual system access patterns