Pretalx XSS: Organizer Search Exposes User Data
The National Vulnerability Database reports CVE-2026-41241 in pretalx, a conference planning tool. Prior to version 2026.1.0, the backend’s organizer search feature was vulnerable to cross-site scripting (XSS). This flaw allowed malicious HTML or JavaScript to be injected into submission titles, speaker display names, and user names/emails. When an organizer’s search query matched a malicious record, the injected code would execute within their browser.
This is a classic stored XSS scenario, rated with a high CVSS score of 8.7. The attacker’s calculus is straightforward: leverage a low-privilege account (any registered user) to compromise a higher-privilege user (an organizer). The vulnerability resides in innerHTML string interpolation, a common pitfall that allows client-side code execution. For defenders, this means a compromised organizer account could lead to further internal access, data exfiltration, or even supply chain attacks if the conference content itself is sensitive.
The fix is available in pretalx version 2026.1.0. Organizations using pretalx must prioritize this update. Without it, the risk of an insider threat or targeted attack against conference organizers remains significant. This isn’t just about defacement; it’s about gaining a foothold into an organization via a seemingly innocuous administrative function.
What This Means For You
- If your organization uses pretalx, you must immediately verify your version. If it's prior to 2026.1.0, patch to the latest version. Audit your organizer accounts and any recent activity for anomalous behavior, especially if you handle sensitive conference submissions or speaker data.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41241 - Pretalx Organizer Search XSS via Submission Title
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41241 | XSS | pretalx conference planning tool |
| CVE-2026-41241 | XSS | pretalx versions prior to 2026.1.0 |
| CVE-2026-41241 | XSS | Organiser search in pretalx backend |
| CVE-2026-41241 | XSS | innerHTML string interpolation of submission titles, speaker display names, user names/emails |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 22:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Critical RCE Flaw in radare2-mcp: Command Injection via JSON-RPC
CVE-2026-6942 — radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command...
CVE-2026-6941 — Its Project Notes Handling That Path Traversal
CVE-2026-6941 — radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside...
Radare2 Path Traversal Flaw: Local Attackers Can Delete Arbitrary Directories
CVE-2026-6940 — radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying...