Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) pretalx is a Conference organisation: CfPs, scheduling, much more Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the organizer search. An attacker can execute arbitrary JavaScript code in the context of an organizer's browser by injecting malicious payloads into fields such as submission titles, speaker display names, or user names/emails, which are rendered using `innerHTML` string interpolation. This allows the attacker to access sensitive information, such as CSRF tokens, and perform actions on behalf of the victim, including modifying data or exfiltrating information, when an organizer or administrator performs a typeahead search that matches the malicious record. How to fix Cross-site Scripting (XSS)? Upgrade `pretalx` to version 2026.1.0 or higher.	[,2026.1.0)

Cross-site Scripting (XSS)

pretalx is a Conference organisation: CfPs, scheduling, much more

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the organizer search. An attacker can execute arbitrary JavaScript code in the context of an organizer's browser by injecting malicious payloads into fields such as submission titles, speaker display names, or user names/emails, which are rendered using innerHTML string interpolation. This allows the attacker to access sensitive information, such as CSRF tokens, and perform actions on behalf of the victim, including modifying data or exfiltrating information, when an organizer or administrator performs a typeahead search that matches the malicious record.

How to fix Cross-site Scripting (XSS)?

Upgrade pretalx to version 2026.1.0 or higher.

[,2026.1.0)

Go back to all versions of this package