Critical XSS Vulnerability in Pretalx Conference Platform Exposed

Critical XSS Vulnerability in Pretalx Conference Platform Exposed

First seen 28 May 2026, 16:06 UTC TheregisterRescanawww.socdefenders.aiScworldgithub.com+1 87% similarity 72.0

Article Content

Browse articles
ThreatCluster

A critical stored XSS vulnerability, CVE-2026-41241, has been discovered in the Pretalx conference management platform. This flaw allows registered users to execute malicious scripts that can compromise organizer accounts, ensuring a 100% acceptance rate for their talk submissions. The vulnerability arises from improper sanitization of user input in backend functionalities, affecting all versions prior to 2026.1.0. The flaw was publicly disclosed on April 23, 2026, and has been patched in version 2026.1.0. Security researcher Elad Meged demonstrated the exploit by submitting talk proposals to multiple conferences without using a live exploit. The vulnerability poses a significant risk to the integrity of conference processes and requires immediate attention from affected organizations.

Key Points: • CVE-2026-41241 is a critical stored XSS vulnerability in Pretalx, affecting all versions before 2026.1.0. • Attackers can exploit this flaw to hijack organizer sessions and manipulate talk submission processes. • The vulnerability has been patched, but immediate action is needed for organizations using older versions.

ThreatCluster AI

Timeline

2026-04-23
CVE-2026-41241 published
A critical stored XSS vulnerability in Pretalx was publicly disclosed, affecting all versions prior to 2026.1.0.
Rescana
2026-04-23
Vulnerability discovered
Elad Meged found the XSS flaw while preparing conference submissions, allowing for unauthorized session control.
Theregister
2026-05-27
Research findings published
Meged shared his findings, demonstrating the exploitability of the vulnerability in a controlled environment.
Theregister
2026-05-28
Patch released
Pretalx version 2026.1.0 was released to address the critical XSS vulnerability, urging users to update.
Rescana

Community

Browse all →