Pretalx, a popular web-based conference planning tool, was found to have two security vulnerabilities: an arbitrary file read and a limited file write vulnerability. These vulnerabilities were discovered through an audit and could allow attackers to access sensitive data or execute malicious code. The first vulnerability allows a privileged user to disclose any file from the server's filesystem, while the second vulnerability allows a user with access to a scheduled talk to write files on the server's filesystem. A generic technique was also found to turn a file write vulnerability into code execution by leveraging Python's site-specific configuration hooks. Thankfully, these vulnerabilities were fixed in version 2.3.2 of Pretalx within an astonishingly short time frame of fewer than three hours after notification.