Description
HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2.
Published: 2026-01-19
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

HotCRP's formula engine was compromised by a missing sanitization step introduced in April 2024 that caused PHP code generated from user supplied formulas to run unfiltered. The flaw allows an attacker with formula creation rights to inject and execute arbitrary PHP code on the server, leading to full compromise of the HotCRP instance, including theft of credentials, data exfiltration, or modification of reviews.

Affected Systems

Affected vendor: Kohler HotCRP (conference review software). The vulnerability exists in all 3.1 releases that include the April 2024 patch, and is resolved starting with release version 3.2. No other product versions are listed as impacted, but any installation running HotCRP 3.1 or earlier is potentially vulnerable.

Risk and Exploitability

The CVSS base score is 10, indicating maximum severity. The EPSS score is below 1%, suggesting exploitation probability is currently very low. The vulnerability is not present in the CISA KEV catalog. Likely exploitation requires the attacker to create or edit a formula through the web UI, which usually requires at least reviewer or author rights, so the attack vector is remote via the web interface from an authenticated user with formula privileges.

Generated by OpenCVE AI on April 18, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HotCRP to version 3.2 or later.
  • If immediate upgrade cannot be performed, restrict or disable the formula editing feature to prevent code injection.
  • Verify that all users with formula creation privileges are legitimate and monitor for abnormal activity.

Generated by OpenCVE AI on April 18, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:hotcrp:hotcrp:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Hotcrp
Hotcrp hotcrp
Vendors & Products Hotcrp
Hotcrp hotcrp

Mon, 19 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2.
Title HotCRP vulnerable to remote code execution through formulas
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Hotcrp Hotcrp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T21:40:24.493Z

Reserved: 2026-01-16T15:46:40.841Z

Link: CVE-2026-23836

cve-icon Vulnrichment

Updated: 2026-01-20T21:40:22.096Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T18:16:06.147

Modified: 2026-02-18T16:01:00.990

Link: CVE-2026-23836

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses