CVE-2026-41241 - Vulnerability Details

- pretalx: Stored cross-site scripting in organiser search typeahead

Description

pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser's browser when the organiser's search query matched the malicious record. This vulnerability is fixed in 2026.1.0.

Published: 2026-04-23

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Pretalx, a conference planning tool, contains a stored cross‑site scripting flaw in the organizer search typeahead. Submission titles, speaker display names, and user names/emails that are rendered with innerHTML allow any user who can set those fields—such as a registered user whose display name is displayed to an organizer—to embed HTML or JavaScript. When an organizer performs a search that matches the malicious record, the injected script runs inside the organizer’s browser, enabling attackers to hijack sessions, exfiltrate data, or perform other malicious actions with the organizer’s privileges.

Affected Systems

All installations of pretalx before version 2026.1.0 are affected. The vulnerability exists on the backend component of the pre‑2026.1.0 releases.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, but the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require the attacker to control one of the affected fields and for an organizer to perform a matching search; the attack can be carried out via the web interface without additional privileges beyond those used to submit or assign speakers.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pretalx

affected

Version	Status	Constraints
`< 2026.1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:pretalx:pretalx:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Pretalx

100%

Version	Status	Scheme	Platform
`[0,2026.1.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to pretalx 2026.1.0 or later
If upgrading is not immediately possible, disable the organizer search typeahead feature until a fix is applied
Sanitize or HTML‑escape user‑supplied fields such as submission titles, speaker display names, and user names/emails in any custom code or templates

Generated by OpenCVE AI on April 28, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-cjcx-jfp2-f7m2	pretalx vulnerable to stored cross-site scripting in organizer search typeahead

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/pretalx/pretalx/security/advisories/GHSA-cjcx-jfp2-f7m2

History

Tue, 28 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:pretalx:pretalx::::::::

Mon, 27 Apr 2026 23:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pretalx Pretalx pretalx
Vendors & Products		Pretalx Pretalx pretalx

Thu, 23 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 23 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser's browser when the organiser's search query matched the malicious record. This vulnerability is fixed in 2026.1.0.
Title		pretalx: Stored cross-site scripting in organiser search typeahead
Weaknesses		CWE-79
References		https://github.com/pretalx/pretalx/security/advisories/GHSA-cjcx-jfp2-f7m2
Metrics		cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Pretalx Pretalx

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-23T18:30:56.991Z

Updated: 2026-04-23T19:23:19.257Z

Reserved: 2026-04-18T03:47:03.135Z

Link: CVE-2026-41241

Vulnrichment

Updated: 2026-04-23T19:23:14.481Z

NVD

Status : Analyzed

Published: 2026-04-23T19:17:29.533

Modified: 2026-04-28T19:07:37.290

Link: CVE-2026-41241

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object