CVE-2026-25156
Unknown Unknown - Not Provided
Cross-Site Scripting in HotCRP Document Rendering Component

Publication date: 2026-01-30

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer’s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fields with β€œfile upload” or β€œattachment” type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-30
Last Modified
2026-02-19
Generated
2026-05-07
AI Q&A
2026-01-31
EPSS Evaluated
2026-05-05
NVD
CVE-2026-25156
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hotcrp hotcrp 3.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in HotCRP conference review software caused documents of all types to be delivered inline in the user's browser instead of being downloaded, when only certain types were intended to be inline. This allowed an attacker to upload malicious HTML or SVG documents that would execute JavaScript in the user's browser with access to their HotCRP credentials, enabling cross-site scripting (XSS) attacks and arbitrary API calls. The issue affected versions from October 2025 through January 2026 and was fixed in version 3.2.1.


How can this vulnerability impact me? :

If exploited, this vulnerability could allow attackers to execute malicious scripts in the context of the user's browser, stealing HotCRP credentials and making unauthorized API calls. This could lead to unauthorized access to sensitive conference review data and manipulation of the system through the compromised user account.


What immediate steps should I take to mitigate this vulnerability?

Upgrade HotCRP to version 3.2.1 or later, which includes the fix for this vulnerability. Additionally, avoid uploading HTML or SVG documents to submission fields or as attachments to comments until the update is applied. Note that PDF upload fields are not vulnerable.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart