Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Pretalx Organizer Search Can Run Malicious Code
GHSA-cjcx-jfp2-f7m2
Summary
A security flaw in Pretalx allows attackers to inject malicious code into the organizer search function, potentially stealing data or making unauthorized changes. This affects any user with organizer or administrator permissions. To fix, update to Pretalx version 2026.1.0 or patch the relevant JavaScript file manually.
What to do
- Update pretalx to version 2026.1.0.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | pretalx |
< 2026.1.0 Fix: upgrade to 2026.1.0
|
Original title
pretalx vulnerable to stored cross-site scripting in organizer search typeahead
Original description
The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using `innerHTML` string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser's browser when the organiser's search query matched the malicious record.
Triggering the vulnerability required:
1. An attacker-controlled field reachable by the search, which included any speaker's or submitter's display name in an event context (submitted a proposal) or any user at all for superusers.
2. An organiser user with more than just review permissions or administrator user performing a typeahead search whose query matched the malicious record. An attacker can make matches likely by placing common substrings in the payload-bearing field.
Once triggered, the injected script executed in the context of the pretalx organiser interface and could read the page's CSRF token, submit authenticated requests on the victim's behalf (including requests modifying data due to access to the CSRF token), or exfiltrate data visible to the victim.
### Patches
Fixed in pretalx v2026.1.0.
### Workarounds
There is no configuration-level workaround. Operators who cannot upgrade immediately can avoid using the organiser search bar, or apply the patch to `src/pretalx/static/orga/js/base.js` manually and re-collect static files.
### Credits
We thank Elad Meged from Novee Security for finding and reporting this vulnerability.
Triggering the vulnerability required:
1. An attacker-controlled field reachable by the search, which included any speaker's or submitter's display name in an event context (submitted a proposal) or any user at all for superusers.
2. An organiser user with more than just review permissions or administrator user performing a typeahead search whose query matched the malicious record. An attacker can make matches likely by placing common substrings in the payload-bearing field.
Once triggered, the injected script executed in the context of the pretalx organiser interface and could read the page's CSRF token, submit authenticated requests on the victim's behalf (including requests modifying data due to access to the CSRF token), or exfiltrate data visible to the victim.
### Patches
Fixed in pretalx v2026.1.0.
### Workarounds
There is no configuration-level workaround. Operators who cannot upgrade immediately can avoid using the organiser search bar, or apply the patch to `src/pretalx/static/orga/js/base.js` manually and re-collect static files.
### Credits
We thank Elad Meged from Novee Security for finding and reporting this vulnerability.
ghsa CVSS3.1
8.7
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 18 Apr 2026 · Updated: 18 Apr 2026 · First seen: 18 Apr 2026