Pretalx stored XSS in admin panel (CVE-2026-41241)
CVE-2026-41241
Any registered user can hijack admin sessions in pretalx via stored XSS in admin search. Update to version 2026.1.0 to fix this high-severity flaw.
Vendor-confirmed - CVE-2026-41241 is a high stored XSS vulnerability in pretalx versions prior to 2026.1.0 that lets any registered user execute malicious scripts in admin browsers, hijacking sessions or stealing credentials through routine admin searches.
Overview
CVE-2026-41241 is a stored cross-site scripting (XSS) vulnerability in pretalx, an open-source conference planning tool. The flaw affects the organiser search feature in the backend administrative interface. When an administrator searches for submissions or users, the dropdown results render submission titles, speaker display names, and user names/emails using insecure innerHTML string interpolation. Any registered user can inject malicious HTML or JavaScript into these fields, which will execute in an organiser’s browser when the search matches their record.
Impact
The vulnerability has a CVSS score of 8.7 (High), with network attack vector, low attack complexity, and low privileges required. An attacker only needs a registered account to inject malicious content. When an administrator performs a search that matches the attacker-controlled record, the injected payload executes in the context of the administrator’s browser session. This can lead to session hijacking, credential theft, unauthorized actions within the pretalx backend, or data exfiltration. The customer interaction requirement (user interaction) is satisfied by the administrator performing a normal search operation - a routine admin task.
Affected Versions
All pretalx versions prior to 2026.1.0 are vulnerable. The issue was introduced when the feature was implemented and persists until the fix in version 2026.1.0.
Remediation
Update to pretalx 2026.1.0 or later immediately. The fix replaces insecure innerHTML interpolation with safe DOM manipulation methods that properly escape or sanitize user-controlled content in search result dropdowns. No other mitigations are available, as the vulnerability exists in the core backend interface. Organizations using pretalx should prioritize this update, especially if multiple users have organiser-level access.
Security Insight
Stored XSS in administrative interfaces is a recurring pattern in web applications that trust user input in high-privilege contexts. This vulnerability highlights a critical design principle: any user-controllable field displayed to administrators must be treated as untrusted. pretalx’s response - fixing the rendering method rather than trying to sanitize individual fields - is the correct approach. Organizations should review their own applications for similar innerHTML patterns in admin interfaces, particularly those that display user-generated content in search results or dashboards.
For data breach reports and cybersecurity news, see breach reports and security news.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to th...
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which do...
A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges c...
A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of...