Email Spoofing Vulnerability in Pretalx Conference Planning Tool
CVE-2026-41426

6.1MEDIUM

Key Information:

Vendor: Pretalx
Status: Pretalx
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41426?

The Pretalx conference planning tool has a vulnerability that allows an attacker to exploit user-controlled template placeholders, such as the account display name, to send emails that appear to come from legitimate accounts. This is achieved by registering a malicious account with an arbitrary display name, entering a victim's email, and initiating a password reset. The email delivered appears authentic, bypassing SPF, DKIM, and DMARC checks, thus enabling effective phishing attacks. This issue has been resolved in version 2026.1.0.

Affected Version(s)

pretalx < 2026.1.0

References

https://github.com/pretalx/pretalx/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41426 Data

JSON