CVE-2026-23836
Unknown Unknown - Not Provided
Arbitrary PHP Code Execution in HotCRP Formulas via Unsanitized Input

Publication date: 2026-01-19

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23836
EUVD
EUVD-2026-3305
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hotcrp hotcrp From 3.0 (inc) to 3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23836 is a critical remote code execution vulnerability in HotCRP conference review software versions 3.0 through 3.1. It was introduced in April 2024 due to inadequately sanitized code generation in the formula evaluation component, allowing users to execute arbitrary PHP code remotely without user interaction. The vulnerability arises from how HotCRP formulas are compiled and evaluated, where maliciously crafted formula expressions can inject and execute arbitrary PHP code. This issue was fixed in version 3.2 by sanitizing formula expressions, controlling the evaluation context with braces, and safely embedding debug information to prevent code injection. [1, 2]

Impact Analysis

This vulnerability allows remote attackers with low privileges to execute arbitrary PHP code on the HotCRP server without any user interaction. This can lead to complete compromise of the system, including unauthorized access, data disclosure, modification, and denial of service. The CVSS score is critical (9.9 or 10.0), indicating high impact on confidentiality, integrity, and availability of the affected system. [2]

Detection Guidance

The provided resources do not include specific commands or methods to detect the vulnerability on a network or system. However, enabling the enhanced debugging features introduced in the patched code (such as setting the DEBUG constant to 1 or 2) can help log and inspect formula compilation and evaluation, which may aid in identifying suspicious formula expressions. No explicit detection commands are provided. [3]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade HotCRP to version 3.2 or later, where the vulnerability is patched. The patch includes sanitizing formula expressions, controlling evaluation context by adding braces around expressions, and introducing a protect_string method to prevent code injection. Until the upgrade, consider disabling formula evaluation features or restricting user privileges to limit exposure. [1, 2]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23836. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart