Stored XSS in Conference Tool pretalx (CVE-2026-41241) Could Let Attackers Hijack Organizer Sessions
A stored XSS vulnerability in pretalx, an open-source conference management platform, allowed attackers to hijack organizer sessions and auto-accept speaker submissions.
A security researcher has uncovered a stored cross-site scripting (XSS) vulnerability in pretalx, a widely used open-source conference management tool, that could allow attackers to take over organizer accounts and manipulate speaker submissions. The flaw, tracked as CVE-2026-41241, was discovered by Elad Meged, founding engineer and security researcher at AI penetration-testing startup Novee. Meged found that any user controlling searchable fields—such as submission titles, speaker display names, or email addresses—could inject arbitrary HTML or JavaScript. When an organizer's search query matched the malicious record, the payload would execute in the organizer's browser interface, granting the attacker access to CSRF tokens and the ability to submit authenticated requests on the organizer's behalf.
The vulnerability resides in pretalx's search functionality, which did not properly sanitize user-supplied data before rendering it in the organizer dashboard. According to the pretalx security advisory, "Once triggered, the injected script executed in the context of the pretalx organiser interface and could read the page's CSRF token, submit authenticated requests on the victim's behalf, or exfiltrate data visible to the victim." This means an attacker could modify submissions, alter acceptance decisions, or even impersonate conference staff to communicate with speakers and attendees. The project maintainers patched the flaw in April, and it has been fixed in pretalx version 2026.1.0.
Meged discovered the vulnerability while preparing his own conference speaker submissions. He noticed that many hacker conferences and academic symposiums used the same pretalx-based call for proposals (CFP) system. "Underneath, it is one codebase serving them all," Meged said in research published Wednesday. Exploiting the flaw, he was able to auto-apply for 40 conferences—and got accepted to present his talk, "Securing Modern Web Apps," at every single one. Meged emphasized that he submitted real entries and did not deploy a live exploit payload; all validation was done on a local instance to avoid harming production systems.
The researcher described the work as "human-led vulnerability research, agent-assisted at internet scale." While any capable web security researcher could reproduce the exploit, scaling the attack across different pretalx deployments required an agentic AI system. "Different pretalx versions, deployment choices, and enabled features can change the behavior," Meged explained. "Something that works on one instance may fail on another or require a different validation path." Novee built an agentic fingerprinting and validation system to scan the internet for public-facing vulnerable instances, learn version and configuration details, and determine the best exploitation path for each.
Events that use pretalx-based CFP infrastructure include OffensiveCon, TROOPERS, FOSDEM, HEXACON, and Recon, though Meged stressed that none of these conferences were actively exploited or compromised. For conferences that were not accepting submissions at the time, he followed up via responsible disclosure. The potential impact is significant: with organizer-level access, an attacker could read or modify submissions, interfere with the review process, impersonate conference staff, or communicate with speakers from a trusted context. "The most realistic abuse case is targeted phishing or lateral movement through trust," Meged said.
While there is no evidence that attackers exploited CVE-2026-41241 in the wild before Novee's disclosure, the vulnerability underscores the risks of shared infrastructure in the conference management ecosystem. Organizations using pretalx are urged to update to version 2026.1.0 or later immediately. The incident also highlights how AI agents can amplify vulnerability research, enabling researchers to map internet-wide exposure and coordinate disclosures at a scale that would be impractical manually.
Novee Security researchers published a detailed analysis on May 27, 2026, revealing that the stored XSS vulnerability (CVE-2026-41241) could be chained with AI automation to achieve a 100% talk acceptance rate. The attack works by embedding malicious JavaScript in submission titles containing common search terms, so that the payload executes silently when an organizer searches for the proposal — hijacking the organizer's session and auto-accepting the talk without genuine review. The flaw has been patched in Pretalx version 2026.1.0.