Markfijneman

**Name of the Vulnerable Software and Affected Versions** pretalx versions prior to 2026.1.0 **Description** An unauthenticated attacker can send arbitrary HTML-rendered emails from the configured sender address of a pretalx instance. This is achieved by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder, such as the account display name. A primary exploitation vector involves the password-reset flow, where an attacker registers an account with a malicious name and triggers a password reset for a victim's email address. Because the email is sent from the legitimate sender address, it passes SPF, DKIM, and DMARC validation, facilitating phishing attacks. **Recommendations** Update to version 2026.1.0.