This vulnerability allows an unauthenticated attacker to inject arbitrary HTML into emails sent by a pretalx instance. By inserting malformed HTML or markdown link syntax into user‑controlled placeholders—such as the account display name—the attacker can cause the system to send a fully‑rendered message from the event’s legitimate sender address. The resulting message passes SPF/DKIM/DMARC checks, effectively turning the service into a ready‑made phishing platform. The flaw is most readily demonstrated through the password‑reset flow, where a newly created account with a malicious name triggers a reset email to a victim address.

All versions of pretalx prior to 2026.1.0 are affected. The issue resides in the mail‑template rendering logic of the pretalx:pretalx product. Any deployment that uses the default or custom templates with user‑controlled placeholders is vulnerable. The vulnerability remains present until the catalogued fix shipped in the 2026.1.0 release.

The CVSS score of 6.1 indicates a moderate impact when considering authentication, but the practical exploitation risk is amplified by the low EPSS (<1%) and the absence from the CISA KEV listing. Nevertheless, the ability to send spoofed emails that satisfy domain‑level authentication mechanisms makes the vulnerability attractive for a targeted phishing campaign. Since the attack vector requires no special privileges and can be carried out via a simple web registration form, a malicious actor could generate thousands of convincing emails if the system remains unpatched. The threat is mitigated only by addressing the underlying code flaw or blocking the ability to generate such emails until a patch is applied.