GHSA-jm8c-9f3j-4378: Unauthenticated Email Content Injection in Pretalx Template Engine

Pretalx prior to version 2026.1.0 contains an improper neutralization vulnerability (CWE-1336) within its mail template engine. The software fails to adequately sanitize user-supplied data prior to embedding it in system-generated emails. This allows unauthenticated external actors to inject arbitrary HTML or Markdown sequences into outgoing messages.

The event management platform heavily relies on automated email generation to handle user lifecycle events, such as password resets, account registrations, and proposal submissions. These templates interpolate dynamic variables fetched from database records. User-controlled fields like account display names or proposal titles form the primary attack surface.

The vulnerability transforms the Pretalx application into a highly credible phishing proxy. Because the malicious payload originates from the application's core mail engine, the resulting emails originate from the legitimate server infrastructure. Attackers leverage this trusted origin to conduct highly targeted social engineering campaigns against system users or third-party victims.

The underlying flaw resides in the template processing logic handling dynamic email content. When Pretalx generates notifications, it passes a context dictionary containing user and proposal objects to the rendering engine. The rendering engine substitutes placeholders directly into the template string without applying context-aware output encoding.

Template engines typically enforce strict escaping rules for HTML responses to prevent Cross-Site Scripting (XSS). Email templates often require specialized handling due to dual-format rendering (plain text and HTML) and markdown conversion requirements. In Pretalx, the user input bypassing sanitization allows structural characters, such as angle brackets <> and markdown link syntax [](), to remain active in the rendered output.

When a user sets their display name to an HTML anchor tag, the database stores the raw string. Upon triggering a password reset, the mail generation module fetches the victim's email address and the initiator's display name. The application logic fails to distinguish between the structural template syntax and the substituted variable content.

The vulnerable code path involves the interaction between the Django-based model attributes and the email generation templates. In unpatched versions, templates directly reference user-controlled fields without explicitly forcing string escaping for text intended for HTML formatting.

Consider the vulnerable template logic used for notification generation. The application extracts the user.name property and interpolates it directly into the email body payload. Because the context is assumed to be plain text before processing, no automatic HTML escaping occurs.

<!-- Vulnerable Template Representation -->
Hello {{ user.name }},
 
We received a request to reset the password for your account.

The fix implemented in version 2026.1.0 introduces comprehensive sanitization for all interpolated variables destined for email bodies. The patch modifies the template rendering pipeline to enforce escaping routines that neutralize HTML entities and control characters associated with markdown formatting.

<!-- Patched Template Representation -->
Hello {{ user.name|force_escape }},
 
We received a request to reset the password for your account.

This explicit escaping ensures that characters like < and > are converted to their corresponding HTML entities (< and >). The rendering engine correctly processes the entities as literal text rather than structural syntax. Code review indicates the fix addresses the primary injection vectors across standard mail templates.

Exploitation requires no prior authentication or specialized network position. The attack methodology relies entirely on interacting with public-facing registration and password reset endpoints. The attacker initiates the sequence by creating a new account on the target Pretalx instance.

During registration, the attacker injects the payload into the display name field. A typical payload leverages standard HTML anchor tags combined with a comment block to truncate the remainder of the legitimate email text. For example, the attacker submits <a href="https://malicious-domain.example.com">Click here to secure your account</a><!-- as their name.

Once the account exists, the attacker utilizes the password reset functionality, specifying the target victim's email address. The Pretalx server processes the request and generates a password reset email. The system interpolates the attacker's payload into the greeting line of the email.

The resulting email is dispatched from the Pretalx server's IP address and domain. It cryptographically signs the message, satisfying DomainKeys Identified Mail (DKIM) checks. The sender domain matches the Return-Path, aligning with Sender Policy Framework (SPF) rules. The victim's mail transport agent receives a fully validated, legitimate email containing the attacker's phishing link.

The CVSS v3.1 vector evaluates to CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, reflecting a Medium severity score of 6.1. The Scope (S) is marked as Changed (C) because the vulnerability within the web application platform directly impacts the security context of the victim's email client. The attacker utilizes the application to pivot into the end-user's trust domain.

The immediate impact is the facilitation of highly successful phishing campaigns. Attackers can bypass organizational email filters and security gateways because the physical origin and cryptographic signatures of the emails belong to a trusted entity. Victims are significantly more likely to interact with links in emails originating from a recognized conference or event management platform.

The vulnerability enables credential harvesting, session hijacking, or malware distribution, depending entirely on the nature of the injected link. While the direct impact on the Pretalx server's confidentiality and integrity remains limited (C:L, I:L), the organizational reputational damage and the risk to users are substantial. Event organizers face the liability of their infrastructure being weaponized against attendees.

The primary remediation strategy requires updating the Pretalx installation to version 2026.1.0 or higher. This release contains the necessary template filter adjustments to properly sanitize all user-controlled variables during email rendering. System administrators should schedule this upgrade immediately, particularly for instances exposing public registration flows.

If patching is temporarily unfeasible, administrators must implement mitigation strategies at the infrastructure level. Modifying the underlying Django templates locally to apply force_escape or similar filters to all {{ user.name }} and {{ proposal.title }} tags offers an interim solution. This manual intervention prevents the structural rendering of injected payloads.

Security teams should configure log monitoring specifically targeting the user registration endpoints. Detection rules must flag account creations where the display name or biography fields contain HTML tags, markdown link syntax, or excessive special characters. A high volume of password reset requests originating from a single IP address also indicates potential abuse of this vector.