Description
HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer’s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fields with “file upload” or “attachment” type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`.
Published: 2026-01-30
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: XSS via stored comment attachments can expose HotCRP credentials and enable remote API calls
Action: Immediate Patch
AI Analysis

Impact

HotCRP delivered all document types with inline Content‑Disposition in October 2025–January 2026, leading to stored cross‑site scripting when users opened uploaded HTML or SVG files. The injected script runs in the user’s browser with the user’s HotCRP session, allowing an attacker to read or alter data via the API. This flaw is a classical input‑validation weakness (CWE‑79) and can compromise confidentiality, integrity, and availability of the HotCRP instance.

Affected Systems

The vulnerability affects kohler's HotCRP version 3.2 from October 2025 through January 2026, inclusive of all development builds. It is fixed in HotCRP v3.2.1 and the corresponding patch commits. Only document uploads with file‑upload or attachment fields are impacted; PDF upload fields remained safe.

Risk and Exploitability

The CVSS score is 7.3, indicating high severity, but the EPSS score is below 1%, showing a currently low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers need only upload a malicious HTML or SVG attachment and have a user click the link; no authentication or local privilege is required beyond the victim’s session. If no public exploits exist, the risk remains theoretical until an attacker’s script executes due to a user’s interaction.

Generated by OpenCVE AI on April 18, 2026 at 14:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HotCRP to v3.2.1 or later, which fixes the improper inline content delivery and removes the save=0 parameter.
  • Verify that the server now sends only the specified MIME types inline and that the Content‑Disposition header is correctly set for all uploads.
  • Remove or re‑upload any existing HTML or SVG files stored in comment attachments or submission fields to eliminate the risk.

Generated by OpenCVE AI on April 18, 2026 at 14:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hotcrp:hotcrp:3.2:*:*:*:*:*:*:*

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Hotcrp
Hotcrp hotcrp
Vendors & Products Hotcrp
Hotcrp hotcrp

Mon, 02 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
Description HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer’s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fields with “file upload” or “attachment” type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`.
Title HotCRP vulnerable to stored XSS via comment attachments
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Hotcrp Hotcrp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-02T17:42:38.247Z

Reserved: 2026-01-29T15:39:11.822Z

Link: CVE-2026-25156

cve-icon Vulnrichment

Updated: 2026-02-02T17:42:34.697Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T23:16:12.333

Modified: 2026-02-19T15:10:01.723

Link: CVE-2026-25156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:30:02Z

Weaknesses