Zero-Click pretalx XSS Flaw Lets Hackers Hijack Conference Organizer Accounts

Novee Security disclosed a high-severity stored XSS in pretalx (CVE-2026-41241, CVSS 8.7) that lets registered users bypass Content Security Policy by using uploaded .js files combined with iframe srcdoc to execute code in organizer contexts and hijack sessions, and also enables admin-demotion via image-based requests; the flaw could be mass-weaponized by automated agents but was patched in pretalx v2026.1.0 on May 27, 2026.