Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account display name. The most direct vector is the password-reset flow: the attacker registers an account with a malicious name, enters the victim's email address, and triggers a password reset. The resulting email is delivered from the event's legitimate sender address and passes SPF/DKIM/DMARC validation, making it a ready-made phishing vector. This vulnerability is fixed in 2026.1.0.
AnalysisAI
Unauthenticated attackers can inject malicious HTML into user-controlled template placeholders in pretalx prior to 2026.1.0, enabling arbitrary HTML-rendered emails to be sent from the conference organizer's legitimate sender address. By registering an account with a crafted display name containing HTML or markdown link syntax and triggering a password reset, an attacker can deliver convincing phishing emails that pass SPF/DKIM/DMARC validation, with user interaction (victim clicking password-reset link) required. This vulnerability is fixed in version 2026.1.0.
Technical ContextAI
pretalx is a conference management platform that uses user-supplied data (such as account display names) within email templates sent during critical workflows like password resets. The vulnerability stems from inadequate HTML/markdown sanitization in the email rendering pipeline (CWE-79: Improper Neutralization of Input During Web Page Generation). When a user registers with a malicious name containing HTML tags or markdown link syntax (e.g., 'phishing link'), this unsanitized input is embedded into email templates. During password-reset requests, the email service renders these templates, executing the attacker's embedded HTML/markdown. Because the email originates from the legitimate sender address configured in the pretalx instance and passes email authentication checks (SPF/DKIM/DMARC are validated at the domain level, not message content), recipients have no technical indication of compromise. The attack exploits the trust relationship between the email authentication infrastructure and email content rendering.
RemediationAI
Upgrade pretalx to version 2026.1.0 or later immediately. The patch includes input sanitization for user-controlled template placeholders (account display names and other user-supplied fields) to neutralize HTML and markdown link injection. Organizations unable to upgrade immediately should implement the following compensating controls: (1) Implement strict email content security policies (CSP headers on any web-based email preview features) to restrict script execution; (2) Add a clear warning banner to all password-reset emails indicating they originate from the pretalx system and instructing users to verify URLs before clicking; (3) Configure email filtering rules to flag emails containing suspicious HTML or markdown syntax patterns; (4) Restrict account registration to trusted users only (disable public registration if feasible) to reduce attacker-controlled input vectors. Note that these controls do not eliminate the vulnerability but reduce phishing effectiveness. Patching is the only complete remediation. Patch availability and download links are available at https://github.com/pretalx/pretalx/security/advisories/GHSA-jm8c-9f3j-4378.
pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Rated medium severity (CVSS 4.3
pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Rated medium severity (CVSS 6.5
pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submissio
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25616