Pretalx Email Injection Vulnerability via Unescaped User-Controlled Placeholders

A vulnerability in Pretalx prior to version 2026.1.0 allows unauthenticated attackers to send arbitrary HTML-rendered emails from the application's configured sender address. This is achieved by embedding malformed HTML or markdown link syntax into user-controlled template placeholders, such as the account display name. The vulnerability can be exploited through the password-reset process: an attacker can register an account with a malicious name, input a victim's email address, and initiate a password reset. The email sent will appear to come from a legitimate source and will pass SPF, DKIM, and DMARC validation, creating a phishing opportunity. This issue also affects other email templates that use user-controlled placeholders, including organizer-triggered notifications.

Impact

Exploitation of this vulnerability allows for email injection, where an attacker can send phishing emails that appear to come from a legitimate source within the Pretalx application.

Remediation

Users can upgrade to Pretalx version 2026.1.0 or later to address this vulnerability.