CVE-2026-2451 Unsafe variable evaluation in email templates

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained a security-relevant bug: It was possible to exfiltrate information...

CVE-2026-2451

CVE-2026-2451 concerns pretix: an information-exfiltration flaw via email template placeholders. When templates substitute user data (e.g., {name}), an attacker who can control templates could craft placeholders like {{event.init .code .co_filename}} to read sensitive system configuration data, p...

MAL-2025-47916 Malicious code in @hash-validator/v2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware be7ccca438d061fd1d98fb1061421f517bccb37ba164e017caf7b8f8db366e2e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-5639 Malicious code in print-vault-node (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0e05d07d0cbe84e8ef4ca39905adcf78905393b39d322ae7e582ad1ae99b177a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-5562 Malicious code in ipmi-command (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4ae45e03814e3e6804cac4e616877eecf2a0865d1ab813e7a2a273778899bc16 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-5395 Malicious code in dynamic-importer2 (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4468869b1899f5d6f33a0bb39a221a394f0d1fcce1dc46f3f2127636a40b500b Any computer that has this package installed or running should be considered...

MAL-2025-4993 Malicious code in boost-chii (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ac33b7f9bd3634fd513bc6cdf809460ef22919a7841d779fe3cfca4c733874c8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-4860 Malicious code in opensearch-with-grafana-lambdas (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1610e128601e1cf8f57fb7382fb6310a88b8420bcf1aa66c7e0c8b488b5477dc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3721 Malicious code in braze-i18n-knockout (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ca6ae5dbaa6927991987f0b0e26192dcbfc2fbcbeeca91e3cb34621bd6f1a48b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3235 Malicious code in dc-genai-dropin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4921314e7e97ba500355f996a14c9619cadf54912d2dfdbe5eb22750a5e5c1c8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3124 Malicious code in twc-app-example-vue (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 274ea59bea6b31be4c1b08dce0b142ccdff5b3d9541c5edecd6cab49226d93cd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-2574 Malicious code in migu-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ecb336887faf02039935f114ebb2564586a99bfe58a39d4ab59b3899818e1dc9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-2176 Malicious code in innersource-sig (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ad63dcd1fd3cabf0e50ad3470ccfe9c3e73d7cd254df8f86133563b829882b09 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-303 Malicious code in sdk-coin-ada (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c39dc006518bfc9ed3a2846ae2e407993b19b826cb2c30c0a31bace1a1ee06f3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-215 Malicious code in percy-cake-electron-app (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 84391faa58dbd8fba6583b300874c0f4eeb13fef558586ce912dc3b8d9ba314a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-180 Malicious code in delegator-core-viem (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware abfbbf539b90caab925674f6beebb0623e42d576e687d703a9facfd25df6bbc4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-11123 Malicious code in req-ip-scope (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4cac8b2dfbc3066e94727e843a2abe5a2af44476170248c207bf5026a8892d18 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-10955 Malicious code in commitlint-plugin-rules-an (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6c03c634d44275626fafed374fe4584c0eb7ad65b4962926f8cdf2a8baf76dfc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-10252 Malicious code in selfcord-js-v14 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0b0e9e33909863c6f23c6ce24eaf85fb8bed03f1fd45f930af826a2f8096b3aa Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-9386 Malicious code in mp3-file-zip-d-ownload-welcome-to-mali-ntp96-jgcurk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7e7e81cbd6ad8ee7eb04588e6fec967a31ee4e9528bf73c5c1c3e5f53565645f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...