Pretalx, an open source platform used by many conferences to manage call-for-proposals and schedules, fixed a flaw that could let a malicious speaker submission run code in an organizer's browser. The issue, CVE-2026-41241, is a stored cross-site scripting (XSS) bug in searchable fields such as submission titles, speaker names, usernames, and email addresses; when an organizer searched for a matching record, attacker-supplied HTML or JavaScript could execute, steal a cross-site request forgery (CSRF) token, submit authenticated actions, or exfiltrate visible data. It was patched in April and fixed in pretalx 2026.1.0.
Why it matters: Conference teams using pretalx could have had proposal data changed or organizer sessions abused simply by viewing malicious submissions, so affected admins should update to pretalx 2026.1.0 or later and review organizer access and stored submissions. Because pretalx is reused across many events, one product bug can affect multiple independent conference systems at once.
Eduard Kovacs
2026.05.27
97% relevant
This is the same underlying event: disclosure of CVE-2026-41241 in Pretalx and its patch in version 2026.1.0. The article adds clearer detail on the attack chain, explaining that a malicious speaker submission could trigger stored XSS when organizers search submissions, enabling organizer account takeover and abuse across multiple Pretalx-powered conferences.
2026.05.27
100% relevant
This article appears to be the first tracked item establishing the pretalx CVE-2026-41241 disclosure, exploit mechanics, and patched version.
← Back to all stories