Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit aef5bed9ad6b · 2026-04-18T01:13:56.000Z
GHSA-cjcx-jfp2-f7m2 GHSA-jm8c-9f3j-4378
diff --git a/advisories/github-reviewed/2026/04/GHSA-cjcx-jfp2-f7m2/GHSA-cjcx-jfp2-f7m2.json b/advisories/github-reviewed/2026/04/GHSA-cjcx-jfp2-f7m2/GHSA-cjcx-jfp2-f7m2.json
@@ -0,0 +1,55 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cjcx-jfp2-f7m2",
+  "modified": "2026-04-18T01:11:38Z",
+  "published": "2026-04-18T01:11:38Z",
+  "aliases": [],
+  "summary": "pretalx vulnerable to stored cross-site scripting in organizer search typeahead",
+  "details": "The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using `innerHTML` string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser's browser when the organiser's search query matched the malicious record.\n\nTriggering the vulnerability required:\n\n1. An attacker-controlled field reachable by the search, which included any speaker's or submitter's display name in an event context (submitted a proposal) or any user at all for superusers.\n2. An organiser user with more than just review permissions or administrator user performing a typeahead search whose query matched the malicious record. An attacker can make matches likely by placing common substrings in the payload-bearing field.\n\nOnce triggered, the injected script executed in the context of the pretalx organiser interface and could read the page's CSRF token, submit authenticated requests on the victim's behalf (including requests modifying data due to access to the CSRF token), or exfiltrate data visible to the victim.\n\n### Patches\n\nFixed in pretalx v2026.1.0.\n\n### Workarounds\n\nThere is no configuration-level workaround. Operators who cannot upgrade immediately can avoid using the organiser search bar, or apply the patch to `src/pretalx/static/orga/js/base.js` manually and re-collect static files.\n\n### Credits\n\nWe thank Elad Meged from Novee Security for finding and reporting this vulnerability.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "pretalx"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.1.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/pretalx/pretalx/security/advisories/GHSA-cjcx-jfp2-f7m2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/pretalx/pretalx"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T01:11:38Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-jm8c-9f3j-4378/GHSA-jm8c-9f3j-4378.json b/advisories/github-reviewed/2026/04/GHSA-jm8c-9f3j-4378/GHSA-jm8c-9f3j-4378.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jm8c-9f3j-4378",
+  "modified": "2026-04-18T01:11:19Z",
+  "published": "2026-04-18T01:11:19Z",
+  "aliases": [],
+  "summary": "pretalx mail templates vulnerable to email injection via unescaped user-controlled placeholders",
+  "details": "An unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account display name. The most direct vector is the password-reset flow: the attacker registers an account with a malicious name, enters the victim's email address, and triggers a password reset. The resulting email is delivered from the event's legitimate sender address and passes SPF/DKIM/DMARC validation, making it a ready-made phishing vector.\n\nThe same class of bug affects every mail template that interpolates a user-controlled placeholder (speaker name, proposal title, biography, question answers, etc.), including organiser-triggered emails such as acceptance/rejection notifications.\n\n### Credits\n\nThanks go to Mark Fijneman for finding and reporting a subset of this issue, which alerted us to the wider vulnerability.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "pretalx"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.1.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/pretalx/pretalx/security/advisories/GHSA-jm8c-9f3j-4378"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/pretalx/pretalx"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-116",
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T01:11:19Z",
+    "nvd_published_at": null
+  }
+}
