Pretix Unsafe Placeholder Evaluation Vulnerability in Email Templates

A vulnerability exists in Pretix email templates that allows for the unsafe evaluation of placeholders, which can be exploited to exfiltrate sensitive information from the system. This issue affects all supported versions of Pretix after an estimated version 4.16.0 and prior to 2026.1.1, except for the fixed versions 2026.1.1, 2025.10.2, and 2025.9.4. The vulnerability arises from a flaw in the placeholder evaluation mechanism, which failed to properly sanitize placeholder names in the email subject, allowing attackers to inject malicious placeholders that could retrieve confidential data such as database passwords or API keys. Additionally, the vulnerability is compounded by a double evaluation of placeholders in email subjects and plain text bodies, which could potentially leak order information to other attendees.

Impact

Exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive system information, including database passwords and API keys, through the email placeholder mechanism. Furthermore, the vulnerability could allow for the injection of buyer-controlled placeholder data into email subjects, potentially leaking private order information to unintended recipients.

Remediation

Users are advised to update to Pretix versions 2026.1.1, 2025.10.2, or 2025.9.4. For those using Pretix Enterprise plugins, updates are available for the affected plugins: pretix-doistep (version 1.3.2) and pretix-newsletter (versions 2.0.1 and 1.6.3).