Researchers at Novee Security disclosed a high-severity XSS vulnerability in Pretalx, which can be exploited to silently execute malicious code in organizers' browsers. This flaw affects many technical conferences worldwide, and a single attack could compromise multiple events. The vulnerability was patched in version 2026.1.0, but the security mechanisms were circumvented by combining harmless features to enable full JavaScript execution.
"The flaw, CVE-2026-41241, allowed any registered conference speaker to plant malicious code that would silently execute the moment an organizer searched for the attacker's submission."
"A malicious actor could submit a booby-trapped talk proposal to multiple conferences, wait for organizers to search their submission, and then have those organizers' accounts automatically compromised without any further interaction."
"The impact could extend to a 100% talk acceptance rate. An attacker armed with this vulnerability and an AI agent could, in theory, automate submissions to every Pretalx-powered event, embed the malicious payload in submission titles loaded with common search terms, and wait for organizers' queries to trigger the exploit, effectively forcing their talks to be accepted without any genuine review."
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]