How to guarantee a speaker gig: Hack the system. Literally

A security researcher found a foolproof way to guarantee tech conferences accept his speaker submissions: hack their systems. CVE-2026-41241 is a stored cross-site scripting (XSS) vulnerability in pretalx, a popular open source tool that conference organizers use to manage speaker submissions and schedules, that could allow attackers to effectively take over an organizer's session. Any user controlling searchable fields - including submission titles, speaker display names, and user names or email addresses - could inject arbitrary HTML or JavaScript. When an organizer's search query matched the malicious record, the payload would execute in the organizer interface. "Once triggered, the injected script executed in the context of the pretalx organiser interface and could read the page's [Cross-Site Request Forgery] CSRF token, submit authenticated requests on the victim's behalf (including requests modifying data due to access to the CSRF token), or exfiltrate data visible to the victim," according to pretalx's security advisory. Project maintainers patched the flaw in April, and it has been fixed in pretalx 2026.1.0. Elad Meged, founding engineer and security researcher at AI penetration-testing and offensive-security startup Novee, found and disclosed the flaw when he was preparing conference speaker submissions. He noticed the exact same call for proposals (CFP) submission form appearing underneath all of these different hacker conferences and academic symposiums' logos. 'One codebase serving them all' While the events are unique, with different parent companies and organizers, "underneath, it is one codebase serving them all," Meged said in research published on Wednesday and shared in advance with The Register. Meged then used the flaw to auto-apply for 40 conferences - and got accepted to present his proposed talk, "Securing Modern Web Apps," at every single one of them. While Meged did submit real entries, he did not submit a live exploit payload into the conference systems. The Novee team validated all of their findings on a local instance. They didn't do any testing on pretalx.com or a third-party-hosted instance. "The goal was to validate the vulnerable workflow in the exact real-world setup while avoiding unnecessary harm," Meged told The Register. "So, we used realistic, normal-looking talk submissions and then validated exploitability through controlled, version-specific testing." Some of the events that use pretalx-based CFP infrastructure include OffensiveCon, TROOPERS, FOSDEM, HEXACON, and Recon, he told us, stressing that this does not mean any of these conferences were actively exploited or compromised. For any conferences that used pretalx for talk submissions, but weren't accepting submissions at the time, Meged followed up with them via responsible disclosure. And yes, Meged admits that he could have had more fun with the talk title, but he wanted to make it "intentionally boring and plausible," to blend in with other proposals. "I agree something outrageous would have been funnier, but it would also have been less responsible," he said. Human led, AI agent assist Meged described the research as "human-led vulnerability research, agent-assisted at internet scale." Once they understood the type of vulnerability, any "capable web security researcher" could reproduce the exploit, he said, adding "this would not require nation-state-level skill." Scaling the attack, reliably reproducing it, and adjusting the attack chain to each real-world pretalx deployment, however, benefited from an agentic AI assist - and this wasn't "a one-off script or a prank CFP submission," he told us. "Different pretalx versions, deployment choices, and enabled features can change the behavior," Meged said. "Something that works on one instance may fail on another or require a different validation path." Plus, some conferences use hosted infrastructure, while others run their own self-hosted instances. So the security shop built an agentic fingerprinting and validation system to scan the internet for public-facing, vulnerable systems, learn as much as possible about the version and configuration, and find the best way to exploit them. 'This type of work does not scale manually' "This type of work does not scale manually," Meged said. "A human can find the core idea, understand the primitive, and make the responsible disclosure decisions. But mapping internet-wide exposure, fingerprinting many deployments, comparing versions, modeling behavior, adjusting validation logic, and organizing disclosure steps is exactly where AI agents become useful. The agents helped with discovery, fingerprinting, version comparison, environment modeling, controlled validation, note-taking, and disclosure workflow management." After finding and fingerprinting public pretalx deployments, and identifying version-specific behavior, the agents selected the best non-destructive validation path for each one. While there's no indication that attackers found and exploited the security issue before Novee's team, it's serious in that it could have granted organizer-level access to the conference call-for-proposal and scheduling system - these typically contain speaker identities, submissions, acceptance decisions, and private communications between conference organizers and speakers. Gaining access to this type of information could have allowed for targeted phishing or other trust-based attacks impersonating a well-known industry event. "With organizer-level access, an attacker could potentially read or modify submissions, interfere with the review process, impersonate conference staff, alter CFP data, or communicate with speakers and submitters from a trusted conference context," Meged said. "The most realistic abuse case is targeted phishing or lateral movement through trust. If a speaker, sponsor, reviewer, or attendee receives a link or request from what appears to be a legitimate conference system, they are much more likely to trust it," he added. "So the story is not just: Someone could get a fake talk accepted. The bigger risk is that a trusted conference platform could become a launchpad for attacks against the entire event ecosystem." Tobias Kunze, a developer who created pretalx, told The Register that Meged reported 11 security findings on April 14, he assessed all of these and classed one as a serious vulnerability and five as non-vulnerability bugs - but with fixes - and five more as non-critical or intended behavior. "Contact with Elad was very positive and professional," Kunze told us. "We discussed the severity and impact of his findings, and it was as good a report as a small open source project like pretalx can hope to receive." (R)