GHSA-jm8c-9f3j-4378: Unauthenticated Email Content Injection in Pretalx Template Engine Vulnerability ID: GHSA-JM8C-9F3J-4378 CVSS Score: 6.1 Published: 2026-04-18 Pretalx versions prior to 2026.1.0 contain a template injection vulnerability allowing unauthenticated attackers to embed malformed HTML and Markdown into system-generated emails. By exploiting unsanitized placeholders in the mail generation engine, attackers can spoof trusted communications that pass SPF, DKIM, and DMARC validations. Unauthenticated attackers can inject malicious links into official Pretalx emails by manipulating user-controlled profile fields, bypassing email sender reputation checks. Vulnerability Type: Email Content Injection Primary CWE: CWE-1336 Attack Vector: Network Privileges Required: None User Interaction: Required CVSS v3.1 Score: 6.1 Exploit Status: Proof of Concept pretalx (PyPI) pretalx: < 2026.1.0 (Fixed in: 2026.1.0) Upgrade the Pretalx application to the latest stable release containing the security patch. Apply localized template escaping filters to user-controlled variables if immediate upgrade is not possible. Implement registration endpoint monitoring to detect anomalous payload signatures in profile fields. Remediation Steps: Verify the current running version of Pretalx via the administration dashboard or application environment. Pull the latest pretalx package version (2026.1.0 or newer) from PyPI. Execute the deployment upgrade sequence, ensuring all static files and database migrations are applied. Review user databases for accounts created with HTML or Markdown syntax in the name fields to identify previous exploitation attempts. GitHub Security Advisory GHSA-jm8c-9f3j-4378 OSV Record GHSA-jm8c-9f3j-4378 Vulnerability Database GCVE Read the full report for GHSA-JM8C-9F3J-4378 on our website for more details including interactive diagrams and full exploit analysis.