2 matches found
pretix unsafely evaluates variables in emails
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: - It was possible to exfiltrate informati...
CVE-2026-2451
CVE-2026-2451 concerns pretix: an information-exfiltration flaw via email template placeholders. When templates substitute user data (e.g., {name}), an attacker who can control templates could craft placeholders like {{event.init .code .co_filename}} to read sensitive system configuration data, p...