GHSA-CJCX-JFP2-F7M2

Vulnerability from github – Published: 2026-04-18 01:11 – Updated: 2026-04-18 01:11
VLAI?
Summary
pretalx vulnerable to stored cross-site scripting in organizer search typeahead
Details

The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser's browser when the organiser's search query matched the malicious record.

Triggering the vulnerability required:

  1. An attacker-controlled field reachable by the search, which included any speaker's or submitter's display name in an event context (submitted a proposal) or any user at all for superusers.
  2. An organiser user with more than just review permissions or administrator user performing a typeahead search whose query matched the malicious record. An attacker can make matches likely by placing common substrings in the payload-bearing field.

Once triggered, the injected script executed in the context of the pretalx organiser interface and could read the page's CSRF token, submit authenticated requests on the victim's behalf (including requests modifying data due to access to the CSRF token), or exfiltrate data visible to the victim.

Patches

Fixed in pretalx v2026.1.0.

Workarounds

There is no configuration-level workaround. Operators who cannot upgrade immediately can avoid using the organiser search bar, or apply the patch to src/pretalx/static/orga/js/base.js manually and re-collect static files.

Credits

We thank Elad Meged from Novee Security for finding and reporting this vulnerability.

Severity ?
8.7 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretalx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-18T01:11:38Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using `innerHTML` string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser\u0027s browser when the organiser\u0027s search query matched the malicious record.\n\nTriggering the vulnerability required:\n\n1. An attacker-controlled field reachable by the search, which included any speaker\u0027s or submitter\u0027s display name in an event context (submitted a proposal) or any user at all for superusers.\n2. An organiser user with more than just review permissions or administrator user performing a typeahead search whose query matched the malicious record. An attacker can make matches likely by placing common substrings in the payload-bearing field.\n\nOnce triggered, the injected script executed in the context of the pretalx organiser interface and could read the page\u0027s CSRF token, submit authenticated requests on the victim\u0027s behalf (including requests modifying data due to access to the CSRF token), or exfiltrate data visible to the victim.\n\n### Patches\n\nFixed in pretalx v2026.1.0.\n\n### Workarounds\n\nThere is no configuration-level workaround. Operators who cannot upgrade immediately can avoid using the organiser search bar, or apply the patch to `src/pretalx/static/orga/js/base.js` manually and re-collect static files.\n\n### Credits\n\nWe thank Elad Meged from Novee Security for finding and reporting this vulnerability.",
  "id": "GHSA-cjcx-jfp2-f7m2",
  "modified": "2026-04-18T01:11:38Z",
  "published": "2026-04-18T01:11:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pretalx/pretalx/security/advisories/GHSA-cjcx-jfp2-f7m2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pretalx/pretalx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pretalx vulnerable to stored cross-site scripting in organizer search typeahead"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.