pretalx, Cross-site Scripting (XSS), GHSA-jm8c-9f3j-4378 (Medium)

Listen to this Post

How the vulnerability works

The vulnerability lies in the email template rendering logic of pretalx, where user-controlled placeholders are interpolated into outgoing emails without proper sanitization. Specifically, an unauthenticated attacker can inject arbitrary HTML or malformed Markdown syntax into a user-controlled template placeholder, such as the account display name, speaker name, proposal , biography, or question answers. When the email is rendered, the injected content is interpreted as legitimate HTML, allowing the attacker to craft convincing phishing emails that appear to originate from the event’s configured sender address.
The most direct exploitation vector is the password reset flow. The attacker registers an account using a malicious name containing HTML payloads. Then, they request a password reset for the victim’s email address. The resulting password reset email is delivered from the event’s legitimate sender address, and because the email content includes the attacker-controlled name, the malicious HTML is rendered in the victim’s email client. This email passes SPF, DKIM, and DMARC validation, making it highly credible.
The same issue affects all email templates that interpolate any user-controlled placeholder, including organiser-triggered emails such as acceptance or rejection notifications. By carefully crafting the payload, an attacker can embed arbitrary links, images, or form elements, effectively turning the trusted email channel into a phishing delivery mechanism.

dailycve form

Platform: pretalx
Version: <2026.1.0
Vulnerability: Email HTML injection
Severity: Medium
date: 2026-04-18

Prediction: 2026-04-18

What Undercode Say

Analytics

The vulnerability is trivial to exploit and requires no authentication. It abuses the lack of output encoding for user-controlled placeholders in email templates. The email is sent from a trusted domain with valid SPF/DKIM/DMARC, bypassing common anti‑phishing filters. The attack surface is large because the same flaw exists in multiple email templates. The disclosure timeline is unclear, but the advisory was published on 2026-04-18. The fix is to upgrade to version 2026.1.0 or later, which properly escapes HTML in placeholders. The CVSS score is likely Medium (4.3–6.1) due to the requirement for user interaction and the inability to execute arbitrary JavaScript in most email clients.

Bash commands and codes related to the blog

Verify the installed version of pretalx
pip show pretalx | grep Version
Upgrade to the patched version
pip install --upgrade pretalx>=2026.1.0
Check for vulnerable placeholder usage in custom templates
grep -r "{{" /path/to/pretalx/templates/emails/
Simulate an exploit using curl (password reset flow)
curl -X POST https://target.pretalx.example/auth/reset \
-d "[email protected]" \
-d "name=<img src=x onerror=alert('XSS')>"
Monitor outgoing emails for injected HTML
tail -f /var/log/pretalx/mail.log | grep -i "html|phish"

Exploit

  1. Register an account with a malicious display name containing HTML, e.g. <a href="https://attacker.com/phish">Reset your password now</a>.
  2. Trigger a password reset for the victim’s email address.
  3. The victim receives an email from `[email protected]` that includes the malicious link.
  4. The victim clicks the link, believing it is legitimate, and is directed to the attacker’s phishing site.

Protection from this CVE

Impact

  • Phishing: Attackers can send highly credible phishing emails from the event’s trusted domain.
  • Credential theft: Victims may enter their credentials on a fake login page.
  • Reputation damage: The event’s brand is abused to distribute malicious content.
  • Widespread exploitation: The same vulnerability exists in multiple email templates, increasing the attack surface.
  • Bypass of email security: The emails pass SPF, DKIM, and DMARC validation, evading standard anti‑phishing filters.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top