CVE-2026-41241 HIGH

CVE-2026-41241: pretalx: Stored cross-site scripting in organiser search typeahead

Vendor Pretalx
Product pretalx
Weakness CWE-79 · XSS
Published April 23, 2026
Last update April 23, 2026
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser's browser when the organiser's search query matched the malicious record. This vulnerability is fixed in 2026.1.0.

Key dates

02Disclosure timeline

April 23, 2026 CVE published
April 23, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-4678 Campcodes Complete Web-Based School Management System find_friends.php cross site scripting CVE-2023-30752 WordPress External Videos Plugin <= 2.0.1 is vulnerable to Cross Site Scripting (XSS) CVE-2025-58810 WordPress Simple Link List Widget Plugin <= 0.3.2 - Cross Site Scripting (XSS) Vulnerability CVE-2021-32668 Cross-Site Scripting in Query Generator & Query View CVE-2025-48092 WordPress Fix Multiple Redirects plugin <= 1.2.3 - Reflected Cross Site Scripting (XSS) vulnerability