PYSEC-2026-109
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/pretalx/PYSEC-2026-109.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2026-109
- Aliases
-
- CVE-2026-41426
- GHSA-jm8c-9f3j-4378
- Published
- 2026-04-24T20:16:27.247Z
- Modified
- 2026-05-20T09:19:11.385949Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account display name. The most direct vector is the password-reset flow: the attacker registers an account with a malicious name, enters the victim's email address, and triggers a password reset. The resulting email is delivered from the event's legitimate sender address and passes SPF/DKIM/DMARC validation, making it a ready-made phishing vector. This vulnerability is fixed in 2026.1.0.
- References
Affected packages
PyPI / pretalx
Package
- Name
- pretalx
- View open source insights on deps.dev
- Purl
- pkg:pypi/pretalx
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2026.1.0
Affected versions
0.*
0.1.0
0.2.0.post1
0.2.1.post1
0.2.2
0.3.0
0.3.1
0.4.0
0.4.1
0.5.0
0.6.0
0.6.1
0.7.0
0.7.1
0.8.0
0.9.0
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.1.0
1.1.1
1.1.2
2.*
2.0.0
2.1.0
2.1.1
2.2.0
2.3.0
2.3.1
2.3.2
2023.*
2023.1.0
2023.1.1
2023.1.2
2023.1.3
2024.*
2024.1.0
2024.2.0
2024.2.1
2024.3.0
2024.3.1
2025.*
2025.1.0
2025.2.0
2025.2.1
2025.2.2