PyPI package
pretalx
pkg:pypi/pretalx
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41426 | Med | 6.1 | < 2026.1.0 | 2026.1.0 | Apr 24, 2026 | pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as | |
| CVE-2026-41241 | Hig | 8.7 | < 2026.1.0 | 2026.1.0 | Apr 23, 2026 | pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields | |
| CVE-2023-28459 | — | < 2.3.2 | 2.3.2 | Apr 20, 2023 | pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Users were able to upload crafted HTML documents that trigger the reading of arbitrary files. | ||
| CVE-2023-28458 | — | >= 2.3.1, < 2.3.2 | 2.3.2 | Apr 20, 2023 | pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Organizers can trigger the overwriting (with the standard pretalx 404 page content) of an arbitrary file. |
- affected < 2026.1.0fixed 2026.1.0
pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as
- affected < 2026.1.0fixed 2026.1.0
pretalx is a conference planning tool. Prior to 2026.1.0, The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using innerHTML string interpolation. Any user who controls one of those fields
- CVE-2023-28459Apr 20, 2023affected < 2.3.2fixed 2.3.2
pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Users were able to upload crafted HTML documents that trigger the reading of arbitrary files.
- CVE-2023-28458Apr 20, 2023affected >= 2.3.1, < 2.3.2fixed 2.3.2
pretalx 2.3.1 before 2.3.2 allows path traversal in HTML export (a non-default feature). Organizers can trigger the overwriting (with the standard pretalx 404 page content) of an arbitrary file.