Zero-Click XSS Flaw in pretalx Lets Hackers Hijack Conference Organizer Accounts
What Happened — A reflected cross‑site scripting (XSS) vulnerability in the open‑source conference management platform pretalx can be triggered without any user interaction (zero‑click). Exploitation enables attackers to take over organizer accounts, steal session data, auto‑accept talks, and demote other admins. The flaw was patched in pretalx version 2026.1.0.
Why It Matters for TPRM —
- Account takeover of a third‑party event‑management service can expose confidential agenda and speaker information.
- Manipulated session data can damage brand reputation and trigger regulatory scrutiny for data‑privacy violations.
- Organizations that embed pretalx in their event‑planning workflow must verify that the patch is applied or consider alternative solutions.
Who Is Affected — SaaS/event‑management platforms, technology‑focused conferences, professional societies, and any organization that integrates pretalx for conference scheduling.
Recommended Actions —
- Verify that pretalx instances are running version 2026.1.0 or later; apply the patch immediately.
- Review access controls and session‑handling logic for any custom integrations.
- Conduct a security assessment of third‑party event‑management tools used in your supply chain.
Technical Notes — The vulnerability is a zero‑click reflected XSS that can be triggered via crafted URLs or embedded content, allowing script execution in the context of an authenticated organizer. No CVE has been assigned yet. Affected data includes session titles, speaker bios, and administrative privileges. Source: HackRead