PT-2026-35695 · Pypi · Pretalx
Published
2026-04-18
·
Updated
2026-04-18
CVSS v3.1
8.7
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using
innerHTML string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser's browser when the organiser's search query matched the malicious record.Triggering the vulnerability required:
- An attacker-controlled field reachable by the search, which included any speaker's or submitter's display name in an event context (submitted a proposal) or any user at all for superusers.
- An organiser user with more than just review permissions or administrator user performing a typeahead search whose query matched the malicious record. An attacker can make matches likely by placing common substrings in the payload-bearing field.
Once triggered, the injected script executed in the context of the pretalx organiser interface and could read the page's CSRF token, submit authenticated requests on the victim's behalf (including requests modifying data due to access to the CSRF token), or exfiltrate data visible to the victim.
Patches
Fixed in pretalx v2026.1.0.
Workarounds
There is no configuration-level workaround. Operators who cannot upgrade immediately can avoid using the organiser search bar, or apply the patch to
src/pretalx/static/orga/js/base.js manually and re-collect static files.Credits
We thank Elad Meged from Novee Security for finding and reporting this vulnerability.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pretalx