Information Disclosure Vulnerability in Pretix Email Template System
CVE-2026-2415

7.5HIGH

Key Information:

Vendor: Pretix
Status: Pretix
Vendor: CVE Published:; 16 February 2026

What is CVE-2026-2415?

Pretix, an event ticketing software, has a vulnerability that allows potential information disclosure through its email template system. The issue arises from the use of placeholders in emails, which can be manipulated to exfiltrate sensitive data such as database passwords and API keys. Specifically, templates can be crafted to include malicious placeholders, allowing attackers who can control email templates to retrieve system configuration details. Additionally, the evaluation of placeholders in email subjects and bodies multiple times introduces risks, particularly with user-controlled placeholders like {invoice_company}. While the likelihood of exploitation in typical scenarios may be low, it's crucial to take precautions, including rotating all sensitive credentials.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

pretix 4.16.0 < 2025.9.0

pretix 2025.9.0 < 2025.10.0

pretix 2025.10.0 < 2026.1.0

References

https://pretix.eu/about/en/blog/20260216-release-2026-1-1/

vendor-advisory

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 16, 2026
Vulnerability Reserved
Feb 12, 2026

JSON

Pretix

What is CVE-2026-2415?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.