Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
6.1

Pretalx Email Templates Allow Malicious Emails to Be Sent as Legitimate

GHSA-jm8c-9f3j-4378
Summary

An attacker can send fake emails that appear to come from a legitimate email address, potentially phishing victims. This can happen when a user with a malicious account name is reset by an unsuspecting victim, or when other user-controlled information is inserted into emails. Update pretalx to the latest version to fix this issue.

What to do
  • Update pretalx to version 2026.1.0.
Affected software
Ecosystem VendorProductAffected versions
pip – pretalx < 2026.1.0
Fix: upgrade to 2026.1.0
Original title
pretalx mail templates vulnerable to email injection via unescaped user-controlled placeholders
Original description
An unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account display name. The most direct vector is the password-reset flow: the attacker registers an account with a malicious name, enters the victim's email address, and triggers a password reset. The resulting email is delivered from the event's legitimate sender address and passes SPF/DKIM/DMARC validation, making it a ready-made phishing vector.

The same class of bug affects every mail template that interpolates a user-controlled placeholder (speaker name, proposal title, biography, question answers, etc.), including organiser-triggered emails such as acceptance/rejection notifications.

### Credits

Thanks go to Mark Fijneman for finding and reporting a subset of this issue, which alerted us to the wider vulnerability.
ghsa CVSS3.1 6.1
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
CWE-116
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026