Skip to main content
CybersecurityVulnerability Management

Security Researcher Exploits Flaw in Pretalx Conference Tool

Conference organizer working on laptop in quiet office with city view.

CVE-2026-41241 is a stored cross-site scripting (XSS) vulnerability in pretalx, the open-source call-for-proposals and scheduling tool used by many conference organizers, that could allow an attacker to execute arbitrary HTML or JavaScript inside an organiser's interface.

CVE-2026-41241 and pretalx 2026.1.0

Pretalx maintainers described the flaw as a stored XSS that could be injected through any searchable field — submission titles, speaker display names, user names or email addresses — and would run when an organiser's search query matched the malicious record. According to pretalx's security advisory, "Once triggered, the injected script executed in the context of the pretalx organiser interface and could read the page's [Cross-Site Request Forgery] CSRF token, submit authenticated requests on the victim's behalf (including requests modifying data due to access to the CSRF token), or exfiltrate data visible to the victim." Project maintainers patched the flaw in April and fixed it in pretalx 2026.1.0.

How Elad Meged found and demonstrated the issue

Elad Meged, founding engineer and security researcher at AI penetration‑testing startup Novee, discovered the flaw while preparing speaker submissions. He noticed the same CFP submission form appearing under many different conference logos and summed up the observation: "One codebase serving them all." After identifying the vulnerability, Meged used it to auto‑apply to 40 conferences and — using realistic, normal‑looking talk submissions — was accepted to present his proposed talk, "Securing Modern Web Apps," at every single one.

Meged stressed that he did not submit a live exploit payload to public pretalx instances. Novee validated findings on a local instance and avoided testing on pretalx.com or third‑party hosted instances. For conferences that used pretalx but were not accepting submissions at the time, Meged followed up via responsible disclosure. He said he chose an "intentionally boring and plausible" talk title to blend in rather than draw attention.

Agentic AI assist, fingerprinting, and validation at internet scale

Meged described the effort as "human‑led vulnerability research, agent‑assisted at internet scale." Once the vulnerability primitive was understood, Novee's team built an agentic fingerprinting and validation system to scan the internet for public‑facing pretalx deployments, learn about version and configuration differences, and find the best non‑destructive validation path for each instance. Meged said the agents helped with discovery, fingerprinting, version comparison, environment modeling, controlled validation, note‑taking, and disclosure workflow management.

"This type of work does not scale manually," he added, noting that different pretalx versions, deployment choices, and enabled features can change exploit behavior and require version‑specific adjustments.

Potential abuses: organiser‑level access, impersonation, and phishing

The technical impact is not limited to one fake accepted talk. Meged warned that organiser‑level access could allow an attacker to read or modify submissions, interfere with the review process, impersonate conference staff, alter CFP data, or communicate with speakers and submitters from a trusted conference context. He called the most realistic abuse case "targeted phishing or lateral movement through trust": if a speaker, sponsor, reviewer or attendee receives a link or request from what appears to be a legitimate conference system, they are far more likely to trust it.

Pretalx's advisory highlights the mechanics that make such abuses feasible: access to CSRF tokens, the ability to submit authenticated requests, and the capacity to exfiltrate data visible to an organiser in the interface.

What this means for pretalx deployers, conference organisers, and attendees

  • Pretalx deployers: the vulnerability has been patched in pretalx 2026.1.0; maintainers and operators should apply the update and review searchable fields handling and input sanitisation in their configurations.
  • Conference organisers: because many events reuse the same codebase for CFP workflows, organisers should audit past submissions and acceptance communications for anomalies and treat unexpected requests originating from conference systems with caution.
  • Speakers and attendees: be wary of links or requests that appear to come from a conference's platform and verify unusual messages through independent channels before clicking or responding.

Tobias Kunze, the developer who created pretalx, told The Register that Meged reported 11 security findings on April 14; Kunze assessed one as a serious vulnerability, five as non‑vulnerability bugs that nevertheless needed fixes, and five as non‑critical or intended behavior. "Contact with Elad was very positive and professional," Kunze said.

The record in the advisory and reporting contains no indication that attackers found and exploited the security issue before Novee's disclosure. Yet the episode underscores how a single open‑source codebase, reused across multiple events, can create a common point of failure — and how automation and agentic tooling can turn a local flaw into an internet‑scale discovery. Who will be watching for similar primitives next time — and whether defenders can stay a step ahead of agentic discovery pipelines — are now practical questions for organisers and maintainers alike.

Original story at The Register