HTML Injection in Pretalx Conference Planning Tool
CVE-2026-41241

8.7HIGH

Key Information:

Vendor: Pretalx
Status: Pretalx
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41241?

The pretalx conference planning tool prior to version 2026.1.0 is susceptible to an HTML injection vulnerability. This issue arises when the organiser search functionality displays submission titles, speaker names, and user details using innerHTML string interpolation. Any registered user can manipulate these fields to insert malicious HTML or JavaScript code. If an organiser performs a search that matches these malicious records, it can lead to the execution of unauthorized scripts within the organisor's browser. To mitigate this risk, it is crucial to update to version 2026.1.0 or later.

Affected Version(s)

pretalx < 2026.1.0

References

https://github.com/pretalx/pretalx/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41241 Data

JSON