CVE-2026-23836
Arbitrary PHP Code Execution in HotCRP Formulas via Unsanitized Input
Publication date: 2026-01-19
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hotcrp | hotcrp | From 3.0 (inc) to 3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23836 is a critical remote code execution vulnerability in HotCRP conference review software versions 3.0 through 3.1. It was introduced in April 2024 due to inadequately sanitized code generation in the formula evaluation component, allowing users to execute arbitrary PHP code remotely without user interaction. The vulnerability arises from how HotCRP formulas are compiled and evaluated, where maliciously crafted formula expressions can inject and execute arbitrary PHP code. This issue was fixed in version 3.2 by sanitizing formula expressions, controlling the evaluation context with braces, and safely embedding debug information to prevent code injection. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows remote attackers with low privileges to execute arbitrary PHP code on the HotCRP server without any user interaction. This can lead to complete compromise of the system, including unauthorized access, data disclosure, modification, and denial of service. The CVSS score is critical (9.9 or 10.0), indicating high impact on confidentiality, integrity, and availability of the affected system. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided resources do not include specific commands or methods to detect the vulnerability on a network or system. However, enabling the enhanced debugging features introduced in the patched code (such as setting the DEBUG constant to 1 or 2) can help log and inspect formula compilation and evaluation, which may aid in identifying suspicious formula expressions. No explicit detection commands are provided. [3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade HotCRP to version 3.2 or later, where the vulnerability is patched. The patch includes sanitizing formula expressions, controlling evaluation context by adding braces around expressions, and introducing a protect_string method to prevent code injection. Until the upgrade, consider disabling formula evaluation features or restricting user privileges to limit exposure. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.