Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate
Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate
Publish Date: 2026-05-27 10:30:00
Source Domain: www.securityweek.com
Summary:
Researchers from Novee Security have identified a high-severity stored XSS vulnerability (CVE-2026-41241) in Pretalx, an open-source platform widely used for call-for-papers and event scheduling for technical conferences. This issue allowed registered speakers to embed malicious code that executes automatically when an organizer searches for the attacker’s submission. If exploited, the vulnerability could allow an attacker to compromise conference organizers’ accounts and potentially bypass talk acceptance processes entirely. The flaw was circumventing typical security measures on the platform and browser, enabling widespread, simultaneous attacks across conferences using shared Pretalx codebases. The vulnerability has since been patched in Pretalx version 2026.1.0. Researchers demonstrated the potential scenario using a proof-of-concept to highlight the risks.
Key Points:
- A critical stored XSS vulnerability found in Pretalx allows speakers to execute malicious code when searched by organizers.
- CVE-2026-41241 could enable attacks across multiple conferences sharing the same codebase simultaneously.
- The vulnerability could be exploited to force automated acceptance of submissions without review for affected conferences.
- Novel combination of platform features and search result display enabled the execution of full JavaScript.
- The issue was demonstrated via a proof-of-concept to exhibit its significant real-world impact.
