CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-JM8C-9F3J-4378

GHSA-jm8c-9f3j-4378: Unauthenticated Email Content Injection in Pretalx Template Engine

Alon Barad
Alon Barad
Software Engineer

Apr 19, 2026·6 min read·21 visits

Executive Summary (TL;DR)

Unauthenticated attackers can inject malicious links into official Pretalx emails by manipulating user-controlled profile fields, bypassing email sender reputation checks.

Pretalx versions prior to 2026.1.0 contain a template injection vulnerability allowing unauthenticated attackers to embed malformed HTML and Markdown into system-generated emails. By exploiting unsanitized placeholders in the mail generation engine, attackers can spoof trusted communications that pass SPF, DKIM, and DMARC validations.

Vulnerability Overview

Pretalx prior to version 2026.1.0 contains an improper neutralization vulnerability (CWE-1336) within its mail template engine. The software fails to adequately sanitize user-supplied data prior to embedding it in system-generated emails. This allows unauthenticated external actors to inject arbitrary HTML or Markdown sequences into outgoing messages.

The event management platform heavily relies on automated email generation to handle user lifecycle events, such as password resets, account registrations, and proposal submissions. These templates interpolate dynamic variables fetched from database records. User-controlled fields like account display names or proposal titles form the primary attack surface.

The vulnerability transforms the Pretalx application into a highly credible phishing proxy. Because the malicious payload originates from the application's core mail engine, the resulting emails originate from the legitimate server infrastructure. Attackers leverage this trusted origin to conduct highly targeted social engineering campaigns against system users or third-party victims.

Root Cause Analysis

The underlying flaw resides in the template processing logic handling dynamic email content. When Pretalx generates notifications, it passes a context dictionary containing user and proposal objects to the rendering engine. The rendering engine substitutes placeholders directly into the template string without applying context-aware output encoding.

Template engines typically enforce strict escaping rules for HTML responses to prevent Cross-Site Scripting (XSS). Email templates often require specialized handling due to dual-format rendering (plain text and HTML) and markdown conversion requirements. In Pretalx, the user input bypassing sanitization allows structural characters, such as angle brackets <> and markdown link syntax [](), to remain active in the rendered output.

When a user sets their display name to an HTML anchor tag, the database stores the raw string. Upon triggering a password reset, the mail generation module fetches the victim's email address and the initiator's display name. The application logic fails to distinguish between the structural template syntax and the substituted variable content.

Code Analysis

The vulnerable code path involves the interaction between the Django-based model attributes and the email generation templates. In unpatched versions, templates directly reference user-controlled fields without explicitly forcing string escaping for text intended for HTML formatting.

Consider the vulnerable template logic used for notification generation. The application extracts the user.name property and interpolates it directly into the email body payload. Because the context is assumed to be plain text before processing, no automatic HTML escaping occurs.

<!-- Vulnerable Template Representation -->
Hello {{ user.name }},
 
We received a request to reset the password for your account.

The fix implemented in version 2026.1.0 introduces comprehensive sanitization for all interpolated variables destined for email bodies. The patch modifies the template rendering pipeline to enforce escaping routines that neutralize HTML entities and control characters associated with markdown formatting.

<!-- Patched Template Representation -->
Hello {{ user.name|force_escape }},
 
We received a request to reset the password for your account.

This explicit escaping ensures that characters like < and > are converted to their corresponding HTML entities (&lt; and &gt;). The rendering engine correctly processes the entities as literal text rather than structural syntax. Code review indicates the fix addresses the primary injection vectors across standard mail templates.

Exploitation Methodology

Exploitation requires no prior authentication or specialized network position. The attack methodology relies entirely on interacting with public-facing registration and password reset endpoints. The attacker initiates the sequence by creating a new account on the target Pretalx instance.

During registration, the attacker injects the payload into the display name field. A typical payload leverages standard HTML anchor tags combined with a comment block to truncate the remainder of the legitimate email text. For example, the attacker submits <a href="https://malicious-domain.example.com">Click here to secure your account</a><!-- as their name.

Once the account exists, the attacker utilizes the password reset functionality, specifying the target victim's email address. The Pretalx server processes the request and generates a password reset email. The system interpolates the attacker's payload into the greeting line of the email.

The resulting email is dispatched from the Pretalx server's IP address and domain. It cryptographically signs the message, satisfying DomainKeys Identified Mail (DKIM) checks. The sender domain matches the Return-Path, aligning with Sender Policy Framework (SPF) rules. The victim's mail transport agent receives a fully validated, legitimate email containing the attacker's phishing link.

Impact Assessment

The CVSS v3.1 vector evaluates to CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, reflecting a Medium severity score of 6.1. The Scope (S) is marked as Changed (C) because the vulnerability within the web application platform directly impacts the security context of the victim's email client. The attacker utilizes the application to pivot into the end-user's trust domain.

The immediate impact is the facilitation of highly successful phishing campaigns. Attackers can bypass organizational email filters and security gateways because the physical origin and cryptographic signatures of the emails belong to a trusted entity. Victims are significantly more likely to interact with links in emails originating from a recognized conference or event management platform.

The vulnerability enables credential harvesting, session hijacking, or malware distribution, depending entirely on the nature of the injected link. While the direct impact on the Pretalx server's confidentiality and integrity remains limited (C:L, I:L), the organizational reputational damage and the risk to users are substantial. Event organizers face the liability of their infrastructure being weaponized against attendees.

Remediation and Mitigation

The primary remediation strategy requires updating the Pretalx installation to version 2026.1.0 or higher. This release contains the necessary template filter adjustments to properly sanitize all user-controlled variables during email rendering. System administrators should schedule this upgrade immediately, particularly for instances exposing public registration flows.

If patching is temporarily unfeasible, administrators must implement mitigation strategies at the infrastructure level. Modifying the underlying Django templates locally to apply force_escape or similar filters to all {{ user.name }} and {{ proposal.title }} tags offers an interim solution. This manual intervention prevents the structural rendering of injected payloads.

Security teams should configure log monitoring specifically targeting the user registration endpoints. Detection rules must flag account creations where the display name or biography fields contain HTML tags, markdown link syntax, or excessive special characters. A high volume of password reset requests originating from a single IP address also indicates potential abuse of this vector.

Official Patches

pretalxPretalx Package Repository

Technical Appendix

CVSS Score
6.1/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Systems

pretalx (PyPI)

Affected Versions Detail

Product
Affected Versions
Fixed Version
pretalx
pretalx
< 2026.1.02026.1.0
AttributeDetail
Vulnerability TypeEmail Content Injection
Primary CWECWE-1336
Attack VectorNetwork
Privileges RequiredNone
User InteractionRequired
CVSS v3.1 Score6.1
Exploit StatusProof of Concept

MITRE ATT&CK Mapping

T1566.001Phishing: Spearphishing Attachment/Link
Initial Access
T1204.001User Execution: Malicious Link
Execution
CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine

The software uses a template engine to insert or process data, but it does not neutralize or incorrectly neutralizes special elements that can alter the intended logic or layout of the template.

Vulnerability Timeline

Advisory GHSA-jm8c-9f3j-4378 published
2026-04-18
Fix released in version 2026.1.0
2026-04-18
Vulnerability details disclosed to the public
2026-04-18

References & Sources

  • [1]GitHub Security Advisory GHSA-jm8c-9f3j-4378
  • [2]OSV Record GHSA-jm8c-9f3j-4378
  • [3]Vulnerability Database GCVE

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 18 hours ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 19 hours ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
7 views•6 min read
•about 21 hours ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
7 views•7 min read
•about 22 hours ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 23 hours ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 24 hours ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
7 views•7 min read