CVE 8.7 HIGH

pretalx: Stored cross-site scripting in organiser search typeahead_CVE-2026-41241

April 23, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Description

pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser's browser when the organiser's search query matched the malicious record. This vulnerability is fixed in 2026.1.0.

AI Analysis

Stored cross-site scripting vulnerability in pretalx organiser search typeahead

Basic Information

ID CVE-2026-41241

Source GitHub_M

Published Apr 23, 2026 at 18:30

Modified Apr 23, 2026 at 19:23

Affected Product

Vendor pretalx

Product pretalx

Version < 2026.1.0

Affected Versions pretalx pretalx < 2026.1.0

CWE Classification

CWE-79

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor pretalx

Product pretalx

Version < 2026.1.0

References

github.com /pretalx/pretalx/security/advisories/GHSA-cjcx-jfp2-f7m2

{
    "lastseen": "",
    "description": "pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser's browser when the organiser's search query matched the malicious record. This vulnerability is fixed in 2026.1.0.",
    "published": "2026-04-23T18:30:56.991Z",
    "modified": "2026-04-23T19:23:19.257Z",
    "type": "cve",
    "title": "pretalx: Stored cross-site scripting in organiser search typeahead",
    "source": "GitHub_M",
    "references": "https://github.com/pretalx/pretalx/security/advisories/GHSA-cjcx-jfp2-f7m2",
    "id": "CVE-2026-41241",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "pretalx pretalx < 2026.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pretalx",
    "version": "< 2026.1.0",
    "vendor": "pretalx",
    "ai_description": "Stored cross-site scripting vulnerability in pretalx organiser search typeahead",
    "ai_severity": "High",
    "ai_vendor": "pretalx",
    "ai_product": "pretalx",
    "ai_version": "< 2026.1.0",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply