A critical stored cross-site scripting flaw in the open-source conference management platform pretalx exposed conference call-for-papers systems to organizer-session compromise. Tracked as CVE-2026-41241 and rated CVSS 8.7, the bug allowed low-privileged attackers to place malicious HTML or JavaScript in searchable fields including submission titles, speaker display names, usernames, and email addresses. When an organizer searched for the tainted record, the payload could execute in that organizer’s browser, enabling theft of visible data, access to CSRF tokens, and authenticated actions that effectively granted organizer-level control.
Researcher Elad Meged of Novee reported the issue after validating the vulnerable workflow across roughly 40 conferences without deploying live exploit payloads against real targets, while exploit testing was kept to controlled local environments. The report said attackers could also chain the bug with a Content Security Policy bypass by uploading a JavaScript payload disguised as presentation material, and described a no-JavaScript variant that could demote administrators via a superuser-demotion endpoint triggered from an embedded image tag. Pretalx developer Tobias Kunze said 11 findings were reported on April 14, with one deemed serious, and the project fixed the vulnerability in v2026.1.0; researchers also warned that agentic AI could help identify exposed pretalx instances and scale validation or exploitation.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Elad Meged publicly disclosed CVE-2026-41241 as a stored XSS flaw in pretalx that could enable organizer account compromise, data theft, and admin demotion. Reporting described validation across 40 conferences and outlined chained exploitation techniques, including CSP bypass and a no-JavaScript attack path.
Pretalx addressed the stored cross-site scripting vulnerability CVE-2026-41241 in April, releasing a fix in version 2026.1.0. The flaw could allow organizer-session JavaScript execution and organizer-level actions.
Pretalx developer Tobias Kunze said security researcher Elad Meged submitted 11 findings on April 14, with one later assessed as a serious vulnerability. This disclosure included the stored XSS issue later tracked as CVE-2026-41241.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.