CVE-2026-41426

Description

pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account display name. The most direct vector is the password-reset flow: the attacker registers an account with a malicious name, enters the victim's email address, and triggers a password reset. The resulting email is delivered from the event's legitimate sender address and passes SPF/DKIM/DMARC validation, making it a ready-made phishing vector. This vulnerability is fixed in 2026.1.0.

How to fix CVE-2026-41426

To remediate CVE-2026-41426, upgrade the affected package to a fixed version below.

• —upgrade to 2026.1.0 or later
• —upgrade to 2026.1.0 or later

Is CVE-2026-41426 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 2026.1.0
• from 0, < 2026.1.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-41426
• PATCHgithub.com/pretalx/pretalx
• WEBgithub.com/pretalx/pretalx/security/advisories/GHSA-jm8c-9f3j-4378
• WEBgithub.com/pypa/advisory-database/tree/main/vulns/pretalx/PYSEC-2026-109.yaml