How to guarantee a speaker gig: Hack the system. Literally

How to guarantee a speaker gig: Hack the system. Literally

Briefly

"CVE-2026-41241 is a stored cross-site scripting (XSS) vulnerability in pretalx, a popular open source tool that conference organizers use to manage speaker submissions and schedules, that could allow attackers to effectively take over an organizer's session. Any user controlling searchable fields - including submission titles, speaker display names, and user names or email addresses - could inject arbitrary HTML or JavaScript. When an organizer's search query matched the malicious record, the payload would execute in the organizer interface."

""Once triggered, the injected script executed in the context of the pretalx organiser interface and could read the page's [Cross-Site Request Forgery] CSRF token, submit authenticated requests on the victim's behalf (including requests modifying data due to access to the CSRF token), or exfiltrate data visible to the victim," according to pretalx's security advisory."

"Project maintainers patched the flaw in April, and it has been fixed in pretalx 2026.1.0. Elad Meged, founding engineer and security researcher at AI penetration-testing and offensive-security startup Novee, found and disclosed the flaw when he was preparing conference speaker submissions. He noticed the exact same call for proposals (CFP) submission form appearing underneath all of these different hacker conferences and academic symposiums' logos."

"Meged then used the flaw to auto-apply for 40 conferences - and got accepted to present his proposed talk, "Securing Modern Web Apps," at every single one of them. While the events are unique, with different parent companies and organizers, "underneath, it is one codebase serving them all," Meged said in research published on Wednesday and shared in advance with The Register."