CVE-2026-41426

Name of the Vulnerable Software and Affected Versions pretalx versions prior to 2026.1.0

Description An unauthenticated attacker can send arbitrary HTML-rendered emails from the configured sender address of a pretalx instance. This is achieved by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder, such as the account display name. A primary exploitation vector involves the password-reset flow, where an attacker registers an account with a malicious name and triggers a password reset for a victim's email address. Because the email is sent from the legitimate sender address, it passes SPF, DKIM, and DMARC validation, facilitating phishing attacks.

Recommendations Update to version 2026.1.0.