{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41426", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T15:32:33.814Z", "datePublished": "2026-04-24T19:15:39.205Z", "dateUpdated": "2026-04-25T01:50:38.208Z"}, "containers": {"cna": {"title": "pretalx: Email injection via unescaped user-controlled placeholders in pretalx mail templates", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pretalx/pretalx/security/advisories/GHSA-jm8c-9f3j-4378", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pretalx/pretalx/security/advisories/GHSA-jm8c-9f3j-4378"}], "affected": [{"vendor": "pretalx", "product": "pretalx", "versions": [{"version": "< 2026.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T19:15:39.205Z"}, "descriptions": [{"lang": "en", "value": "pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account display name. The most direct vector is the password-reset flow: the attacker registers an account with a malicious name, enters the victim's email address, and triggers a password reset. The resulting email is delivered from the event's legitimate sender address and passes SPF/DKIM/DMARC validation, making it a ready-made phishing vector. This vulnerability is fixed in 2026.1.0."}], "source": {"advisory": "GHSA-jm8c-9f3j-4378", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-25T01:50:24.719547Z", "id": "CVE-2026-41426", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:50:38.208Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41426", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-25T01:50:24.719547Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:50:34.356Z"}}], "cna": {"title": "pretalx: Email injection via unescaped user-controlled placeholders in pretalx mail templates", "source": {"advisory": "GHSA-jm8c-9f3j-4378", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "pretalx", "product": "pretalx", "versions": [{"status": "affected", "version": "< 2026.1.0"}]}], "references": [{"url": "https://github.com/pretalx/pretalx/security/advisories/GHSA-jm8c-9f3j-4378", "name": "https://github.com/pretalx/pretalx/security/advisories/GHSA-jm8c-9f3j-4378", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account display name. The most direct vector is the password-reset flow: the attacker registers an account with a malicious name, enters the victim's email address, and triggers a password reset. The resulting email is delivered from the event's legitimate sender address and passes SPF/DKIM/DMARC validation, making it a ready-made phishing vector. This vulnerability is fixed in 2026.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T19:15:39.205Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41426", "state": "PUBLISHED", "dateUpdated": "2026-04-25T01:50:38.208Z", "dateReserved": "2026-04-20T15:32:33.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T19:15:39.205Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pretalx:pretalx:*:*:*:*:*:*:*:*", "matchCriteriaId": "03EB5005-B230-44D1-ABC5-16C13DC4D187", "versionEndExcluding": "2026.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account display name. The most direct vector is the password-reset flow: the attacker registers an account with a malicious name, enters the victim's email address, and triggers a password reset. The resulting email is delivered from the event's legitimate sender address and passes SPF/DKIM/DMARC validation, making it a ready-made phishing vector. This vulnerability is fixed in 2026.1.0."}], "id": "CVE-2026-41426", "lastModified": "2026-04-28T18:17:40.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T20:16:27.247", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/pretalx/pretalx/security/advisories/GHSA-jm8c-9f3j-4378"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2026.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pretalx", "source": "cna", "vendor": "pretalx"}, "product": "pretalx", "vendor": "pretalx"}], "analysis": {"en": {"generated_at": "2026-04-28T05:50:31.662815+00:00", "value": {"mitigation_remediation": ["Upgrade pretalx to version 2026.1.0 or later to apply the official fix.", "If an upgrade is delayed, immediately disable new user registrations or temporarily suspend the password\u2011reset flow to prevent the creation of malicious accounts.", "Review all custom mail templates and sanitize or escape any user\u2011controlled content before rendering to stop injection of arbitrary HTML or Markdown."], "summary": {"action": "Immediate Patch", "impact": "Phishing and email spoofing via crafted emails"}, "threat_synthesis": {"affected_systems": "All versions of pretalx prior to 2026.1.0 are affected. The issue resides in the mail\u2011template rendering logic of the pretalx:pretalx product. Any deployment that uses the default or custom templates with user\u2011controlled placeholders is vulnerable. The vulnerability remains present until the catalogued fix shipped in the 2026.1.0 release.", "description_and_impact": "This vulnerability allows an unauthenticated attacker to inject arbitrary HTML into emails sent by a pretalx instance. By inserting malformed HTML or markdown link syntax into user\u2011controlled placeholders\u2014such as the account display name\u2014the attacker can cause the system to send a fully\u2011rendered message from the event\u2019s legitimate sender address. The resulting message passes SPF/DKIM/DMARC checks, effectively turning the service into a ready\u2011made phishing platform. The flaw is most readily demonstrated through the password\u2011reset flow, where a newly created account with a malicious name triggers a reset email to a victim address.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate impact when considering authentication, but the practical exploitation risk is amplified by the low EPSS (<1%) and the absence from the CISA KEV listing. Nevertheless, the ability to send spoofed emails that satisfy domain\u2011level authentication mechanisms makes the vulnerability attractive for a targeted phishing campaign. Since the attack vector requires no special privileges and can be carried out via a simple web registration form, a malicious actor could generate thousands of convincing emails if the system remains unpatched. The threat is mitigated only by addressing the underlying code flaw or blocking the ability to generate such emails until a patch is applied."}}}}, "created": "2026-04-27T20:15:12.105427+00:00", "updated": "2026-04-28T06:00:09.589932+00:00", "vendors": ["pretalx", "pretalx$PRODUCT$pretalx"]}