GHSA-jm8c-9f3j-4378: Unauthenticated Email Content Injection in Pretalx Template Engine
Vulnerability ID: GHSA-JM8C-9F3J-4378
CVSS Score: 6.1
Published: 2026-04-18
Pretalx versions prior to 2026.1.0 contain a template injection vulnerability allowing unauthenticated attackers to embed malformed HTML and Markdown into system-generated emails. By exploiting unsanitized placeholders in the mail generation engine, attackers can spoof trusted communications that pass SPF, DKIM, and DMARC validations.
TL;DR
Unauthenticated attackers can inject malicious links into official Pretalx emails by manipulating user-controlled profile fields, bypassing email sender reputation checks.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Type: Email Content Injection
- Primary CWE: CWE-1336
- Attack Vector: Network
- Privileges Required: None
- User Interaction: Required
- CVSS v3.1 Score: 6.1
- Exploit Status: Proof of Concept
Affected Systems
- pretalx (PyPI)
-
pretalx: < 2026.1.0 (Fixed in:
2026.1.0)
Mitigation Strategies
- Upgrade the Pretalx application to the latest stable release containing the security patch.
- Apply localized template escaping filters to user-controlled variables if immediate upgrade is not possible.
- Implement registration endpoint monitoring to detect anomalous payload signatures in profile fields.
Remediation Steps:
- Verify the current running version of Pretalx via the administration dashboard or application environment.
- Pull the latest pretalx package version (2026.1.0 or newer) from PyPI.
- Execute the deployment upgrade sequence, ensuring all static files and database migrations are applied.
- Review user databases for accounts created with HTML or Markdown syntax in the name fields to identify previous exploitation attempts.
References
- GitHub Security Advisory GHSA-jm8c-9f3j-4378
- OSV Record GHSA-jm8c-9f3j-4378
- Vulnerability Database GCVE
Read the full report for GHSA-JM8C-9F3J-4378 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)