Pretalx · Pretalx · CVE-2026-41241
**Name of the Vulnerable Software and Affected Versions**
pretalx versions prior to 2026.1.0
**Description**
The organiser search in the backend renders submission titles, speaker display names, and user names or emails into the result dropdown using innerHTML string interpolation. This allows a user who controls these fields to inject HTML or JavaScript that executes in the browser of an organiser when a search query matches the malicious record.
**Recommendations**
Update to version 2026.1.0.