CVE-2026-41241 - Stored cross-site scripting in organiser search typeahead

Organiser search typeahead backend component (src/pretalx/static/orga/js/base.js)

pretalx (pip) 2026.1.0

The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser’s browser when the organiser’s search query matched the malicious record.

Triggering the vulnerability required:

1. An attacker-controlled field reachable by the search, which included any speaker’s or submitter’s display name in an event context (submitted a proposal) or any user at all for superusers.
2. An organiser user with more than just review permissions or administrator user performing a typeahead search whose query matched the malicious record. An attacker can make matches likely by placing common substrings in the payload-bearing field.

Once triggered, the injected script executed in the context of the pretalx organiser interface and could read the page’s CSRF token, submit authenticated requests on the victim’s behalf (including requests modifying data due to access to the CSRF token), or exfiltrate data visible to the victim.

Read more →