pretix Email Placeholder Injection Vulnerability in pretix-doistep Plugin

A vulnerability exists in the pretix-doistep plugin for pretix, allowing for the injection of malicious placeholders into email templates. This issue arises from an improper evaluation of placeholders, which could be exploited by users with access to the pretix backend. The vulnerability enables the exfiltration of sensitive system information, including database passwords and API keys, by crafting placeholder names that reference internal data. Although pretix has mechanisms to block such malicious placeholders, a coding error rendered these protections ineffective for email subjects. As a precaution, users are advised to rotate all passwords and API keys in their pretix.cfg file.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information within the pretix system, including database passwords and API keys.

Remediation

Users are recommended to update to pretix version 2026.1.1, 2025.10.2, or 2025.9.4, all of which include the necessary fix. For those using the pretix-doistep plugin, version 1.3.2 is available as a patch.