2026.2.0 2026-07-08

See the release blog post.

Note

Users of pretalx.com are already on the latest version of pretalx and have access to all of the listed new features and bugfixes. Administrators of self-hosted pretalx instances can find upgrade instructions here.

Security

  • File uploads and proposal attachments are now restricted to a safe set of file types.

  • The login and registration rate limit can no longer be bypassed by spoofing the X-Forwarded-For header.

  • An API token restricted to specific events could still read and modify organiser-wide team data (including team member details and invitation tokens) for other events of the same organiser. Such tokens are now refused on organiser-level endpoints unless they cover all of the organiser’s events.

  • Fixed a cross-site scripting vulnerability where the Markdown preview of a proposal could run scripts in the browser of an organiser or reviewer viewing it.

  • The installation documentation now describes additional reverse-proxy hardening measures that you should add to the /media/ path, so that uploaded files cannot be executed or rendered as scripts in other users’ browsers.

  • Fixed a cross-site scripting vulnerability where a custom field help text configured in the CfP editor was not sanitised, so an organiser could run scripts in the browser of other organisers viewing the editor.

  • Fixed a cross-site scripting vulnerability where an organiser email address containing HTML was not escaped in the CfP settings, so it could run scripts in the browser of organisers viewing that page.

Schedule

  • [Feature] The frab-compatible XML and JSON schedule exports now identify the generating instance.

  • [Feature] Control characters are now stripped from the iCal, frab XML/xCal/JSON, and plain-text schedule exports to prevent corruption or output of escape sequences. (#236)

  • [Feature] You can configure sessions to require attendees to sign up. A list of attendees is shown to the speakers of the session as well as the organisers.

  • [Feature] In the embedded schedule widget, the session language is now shown in the session popup if the event has multiple session languages.

  • [Fixed bug] Session pages no longer show a server error when an uploaded session resource has disappeared from storage.

  • [Fixed bug] The schedule no longer shows the “you are not logged in” hint when embedded as a widget, where there is no way to log in anyway.

  • [Fixed bug] The event social-media card (og-image) is now only served for public events, matching the visibility rules of the rest of the public event pages, so an event’s branding images can no longer be retrieved before the event is public.

  • [Fixed bug] The embedded schedule widget now renders titles, tracks, rooms and language names in the locale it was configured with, instead of falling back to the surrounding page’s language when embedded on a site in a different language.

  • [Fixed bug] The public schedule widget and other request-path views no longer regenerate missing avatar thumbnails synchronously; regeneration is queued and the full-size avatar is served until the thumbnail is ready. This also means that schedule and speaker pages now load even when thumbnail generation is broken.

  • [Fixed bug] The calendar attachments sent to speakers on schedule release are now localised to the speaker’s preferred language, so translatable content like room names is rendered in the correct language.

Call for Papers

  • [Feature] Markdown lists now also render correctly when they are not preceded by an empty line, matching most Markdown inputs on the web as well as our preview tab. (#2529)

  • [Feature] The number of co-speaker email addresses that can be entered when submitting a proposal is now capped, so the invitation feature can no longer be abused to send a large number of emails to arbitrary recipients.

  • [Feature] The “My proposals” entry in the user menu (and the matching link on the event start page) is now only shown to users who actually have a proposal, including drafts, for the current event, so attendees without submissions are no longer sent to an empty page.

  • [Fixed bug] Uploading a tall portrait image to the profile picture cropper no longer pushes the “Apply Crop” button out of view. (#2501)

  • [Fixed bug] Track names and descriptions are now consistently escaped when shown in the enhanced dropdown widget, matching how they are handled elsewhere.

  • [Fixed bug] Submitting a proposal with the same access code twice simultaneously no longer lets the code be redeemed more often than its configured maximum uses. (#2393)

  • [Fixed bug] The full proposal content appended to the CfP confirmation email now has its field labels translated in the recipient’s language instead of the language active when the proposal was created.

  • [Fixed bug] Confirmation and content emails now use the organiser’s custom CfP field labels instead of the default field names.

  • [Fixed bug] The “Share proposal” review link is no longer shown to speakers for withdrawn, rejected, or cancelled proposals, where it led to a 404 page.

Organiser backend

  • [Feature] All tables in the organiser area can now be printed with your selection of columns and filters.

  • [Feature] When organisers create a new track, they start out with a suggested colour that is randomly picked while making sure it has good contrast and is different from the track colours already in use.

  • [Feature] CSV exports now start with a UTF-8 byte-order mark, so spreadsheet applications like Excel detect the encoding correctly instead of misinterpreting accented characters, smart quotes and so on.

  • [Feature] When configuring a custom event domain, pretalx now warns if the domain does not appear to point at the main pretalx domain (via a CNAME or a matching DNS address), instead of only checking that the domain resolves at all. The setting can still be saved, since the check cannot cover every valid DNS setup.

  • [Feature] When editing a team’s reviewer track restrictions, the track list is now grouped by event, making it easier to navigate for organisers running many events.

  • [Feature] On a team’s detail page, the delete button is now disabled with an explanation when removing the team would leave the organiser without the required team coverage, instead of the deletion only being refused after the fact.

  • [Feature] The colour picker now checks the chosen colour against both light and dark interface backgrounds. It also highlights the suitable colour range directly in the colour picker, and shows a preview of the colour with text on a light and a dark background.

  • [Fixed bug] Uploading a custom event stylesheet containing @import or other unsupported at-rules (like @keyframes) now shows a validation error instead of a server error.

  • [Fixed bug] Logos uploaded during the initial event creation wizard are now saved, instead of being silently dropped on submission.

  • [Fixed bug] Accepting an organiser team invitation twice simultaneously no longer works; each invite can only be accepted once. (#2392)

  • [Fixed bug] Dropdowns of enhanced select fields inside collapsible sections (such as the event and track restrictions on the team form) are no longer cut off by the surrounding section.

Organiser backend: E-Mails

  • [Feature] When composing a session email to speakers only, a note now explains that submission-level placeholders are unavailable and that proposals or a proposal filter must be selected to use them.

  • [Feature] Sending emails immediately (skipping the outbox) now requires an extra confirmation step that restates how many emails are about to be sent, since these emails cannot be reviewed or recalled.

  • [Fixed bug] Emails to speakers now use the event-specific speaker name in the {name} placeholder and in the recipient list, instead of the speaker’s global account name.

  • [Fixed bug] The default templates for the acceptance and draft reminder emails no longer indent the confirmation and proposal links, which turned them into code blocks in the HTML version of the emails.

  • [Fixed bug] Composing a session email to speakers only with a submission-level placeholder (such as {proposal_code}) in the subject or body no longer raises a server error; the placeholder is now correctly rejected with a validation message.

Organiser backend: Speaker management

  • [Announcement] Changing a speaker’s email address from the organiser speaker form now sends the same confirmation mail to the previous address as a self-service email change, instead of updating the address silently. The old address is also recorded in the user log.

Organiser backend: Review process

  • [Feature] The organiser speaker page no longer shows additional information to reviewers who only have review access.

  • [Fixed bug] Reviewers with track restrictions could see proposals from outside of their tracks if they could change event settings (which includes the ability to change review settings, so they always had the permission to expand what they could see).

  • [Fixed bug] The bulk review page no longer shows the original proposal title to reviewers who are restricted to anonymised review; it now uses the anonymised title like the single-review page and the review dashboard already did.

  • [Fixed bug] When an organiser redacts a field for anonymised review by clearing it, reviewers are now shown the empty redaction instead of the original content. Previously a blanked field silently fell back to the plain value.

Organiser backend: Scheduling

  • [Fixed bug] Dates and times in the schedule editor now follow the organiser’s language again, matching the public schedule, instead of falling back to English formatting (with a 12-hour am/pm clock) in other languages.

  • [Fixed bug] Downloading a schedule export now shows an error message instead of crashing when the export task could not produce a file, for example because the event has no released schedule yet.

API

  • [Feature] You can now change the list of events an API token applies to after it has been created, so you can e.g. update the scope to a new event, or remove an old event, so that a token in active use only has access to the data it really needs. Endpoints and permissions remain fixed and cannot be edited after the token was created.

  • [Feature] API tokens can now be set to apply to all events you have access to, including events not yet created (just like team permissions), so you do not have to update your API token every time you set up a new event.

  • [Feature] Reviewers using the API receive better-restricted proposal and review data, matching the UI.

  • [Fixed bug] The feedback API now only accepts feedback for sessions that are publicly visible, matching the behaviour of the public feedback form. Previously, feedback was also accepted while the schedule was hidden.

  • [Fixed bug] The feedback API no longer contains a numerical rating field. The rating was not exposed anywhere else (the public feedback form never included a rating input).

  • [Fixed bug] Files uploaded via the API are now copied into permanent storage when they are attached to a session resource, event image, or speaker avatar. Previously, the attached file kept pointing at the temporary upload storage, whose files are deleted after a day, leaving the attachment broken.

  • [Fixed bug] The event list endpoint no longer contains the metadata of non-public events outside an API token’s event scope.

  • [Announcement] The legacy API, still used by API tokens created before pretalx v2025.1.0, will be removed in the next release, v2026.3.0. Since the release of the new, versioned API, we have received no major reports of breakage, so it is time to complete the transition. Please upgrade any remaining legacy tokens to API v1 or v2.

  • [Announcement] API v2 has been released. It has one breaking change: it renames the access code fields track/submission_type to tracks/submission_types, which now contain lists of IDs. If you do not use the API for access code data, you can safely upgrade your tokens to v2.

Languages and translations

  • [Fixed bug] File upload help texts (logo, header image, preview image, …) in the organiser backend are now shown in the configured language again instead of always falling back to English. (#2440)

  • [Fixed bug] The contrast hint on colour picker fields is now translatable. (#2440)

General

  • [Feature] Error pages now offer a link back into a public event page.

  • [Feature] Status badges across the organiser backend and speaker area now use better contrast, improving legibility and accessibility.

  • [Feature] Password managers can now reliably associate the account’s email address with the new password when setting a password via a reset or speaker-invite link.

  • [Feature] Error pages now load the event’s custom stylesheets when an event is available on the request, so branded events keep their look on 4xx/5xx pages.

Administrators

  • [Feature] If you use a CDN, a load balancer or other additional proxies in front of your standard HTTP proxy, please set the new trusted_proxy_count setting accordingly. As always, make sure that pretalx can only be reached through your proxies and not directly.

  • [Feature] Released pretalx packages (wheels on PyPI) now ship prebuilt frontend code, so installing pretalx from PyPI no longer requires Node/npm to be present on the server. Building or installing from source still rebuilds the frontend and requires npm as before.

  • [Feature] The optional update check now also reports the Python version and database type/version of the installation, so we can make informed support-matrix decisions. No personal data is transmitted, and the update check can be disabled at any time.

  • [Feature] Administrators can now see when each user account was registered, both on the user list and the user detail page. For accounts created before this release, the date is reconstructed from activity logs and may not be exact. This reconstruction may take some time, depending on how many users are in your database.

  • [Announcement] Redis and Celery workers are now required in production (previously they were only ”strongly recommended”). pretalx check --deploy will fail if the configured redis is unreachable or if no Celery configuration is present. The redis location now defaults to redis://127.0.0.1:6379/1, so a local redis on the default port works out of the box. As a result, the [redis] installation target has been removed. If you have scripts using pretalx[redis] or pretalx[postgres,redis], please remove the redis target.

  • [Announcement] Support for Python 3.12 has been dropped. pretalx now requires Python 3.13 or newer.

  • [Announcement] Pretalx now shows a warning at manage.py check time when Pillow is installed without WebP support, so administrators are made aware that image uploads will not be processed and thumbnails will not be generated.

Developers and plugins

  • [Feature] The public frab JSON schedule export no longer exposes a speaker identifier derived from the speaker’s email address. The per-speaker GUID is now a stable, instance-specific value that cannot be used to confirm or correlate a speaker’s email.

  • [Feature] Plugins responding to the footer_link signal may now include an optional cssclass key to style their footer links.

  • [Announcement] The settings.HAS_REDIS flag has been removed. Plugins that gated behaviour on whether redis was available should drop the check: redis is now part of the required runtime, and cache.* calls can be used unconditionally.

  • [Announcement] A lot of private and a few public APIs were changed. Most notably, MailTemplate.to_mail is dropped and QueuedMail.send is deprecated and will be removed following this release. Please switch your plugins to the new interfaces found in pretalx.mail.domain. The mail placeholder aliases SimpleFunctionalMailTextPlaceholder and MarkdownMailTextPlaceholder have also been removed; use TrustedPlainMailTextPlaceholder and TrustedMarkdownMailTextPlaceholder (or the matching Untrusted… classes for user-supplied content) instead.