DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-CJCX-JFP2-F7M2: GHSA-CJCX-JFP2-F7M2: High-Severity Stored XSS in Pretalx Organizer Search Interface

#security #cve #cybersecurity #ghsa

GHSA-CJCX-JFP2-F7M2: High-Severity Stored XSS in Pretalx Organizer Search Interface

Vulnerability ID: GHSA-CJCX-JFP2-F7M2
CVSS Score: 8.7
Published: 2026-04-18

Pretalx versions prior to 2026.1.0 contain a high-severity stored Cross-Site Scripting (XSS) vulnerability within the organizer-facing search interface. Low-privileged users, such as speakers or proposal submitters, can inject malicious JavaScript into their profiles or submissions. When an organizer searches for these records, the application insecurely renders the results using innerHTML, leading to arbitrary script execution in the organizer's browser.

TL;DR

A stored XSS vulnerability in the Pretalx search typeahead feature allows low-privileged users to execute arbitrary JavaScript in the context of administrative organizer accounts, enabling session hijacking and unauthorized administrative actions.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Stored Cross-Site Scripting (XSS)
  • CWE ID: CWE-79
  • CVSS Score: 8.7 (High)
  • Attack Vector: Network
  • Privileges Required: Low (Submitter/Speaker)
  • User Interaction: Required (Organizer must search)
  • Exploit Status: Proof of Concept Available

Affected Systems

  • Pretalx (Organizer Backend Interface)
  • pretalx: < 2026.1.0 (Fixed in: 2026.1.0)

Mitigation Strategies

  • Upgrade Pretalx to version 2026.1.0 or higher.
  • Apply manual patch to frontend JavaScript files replacing innerHTML with textContent.
  • Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads in profile update and proposal submission endpoints.
  • Avoid utilizing the organizer backend search feature until a patch is applied.

Remediation Steps:

  1. Verify current Pretalx version using the application dashboard or package manager.
  2. Schedule a maintenance window for the application upgrade.
  3. Upgrade the Pretalx package via pip: pip install --upgrade pretalx>=2026.1.0.
  4. Run database migrations and re-collect static files as per the Pretalx upgrade documentation.
  5. Restart the application server to apply changes.

References

Read the full report for GHSA-CJCX-JFP2-F7M2 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)