CVE-2026-23878
- Source
- https://cve.org/CVERecord?id=CVE-2026-23878
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23878.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-23878
- Aliases
-
- GHSA-vh3x-xwj4-jvqx
- Published
- 2026-01-19T18:08:41.100Z
- Modified
- 2026-02-17T00:49:06.323044Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- HotCRP vulnerable to exposure of submitted documents
- Details
-
HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0.
- Database specific
{ "cwe_ids": [ "CWE-201" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23878.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23878.json
- https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508
- https://github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0
- https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx
- https://nvd.nist.gov/vuln/detail/CVE-2026-23878
Affected packages
Git / github.com/kohler/hotcrp
Affected ranges
- Type
- GIT
- Repo
- https://github.com/kohler/hotcrp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
Affected versions
Other
SITE_HotNetsV
v2.*
v2.0
v2.0b1
v2.0b2
v2.0b3
v2.0b4
v2.0b5
v2.0b6
v2.0b7
v2.0b8
v2.0b9
v2.1
v2.10
v2.100
v2.101
v2.102
v2.11
v2.12
v2.13
v2.14
v2.15
v2.16
v2.17
v2.18
v2.19
v2.2
v2.20
v2.21
v2.22
v2.24
v2.25
v2.26
v2.27
v2.28
v2.29
v2.3
v2.30
v2.31
v2.32
v2.33
v2.34
v2.35
v2.36
v2.37
v2.38
v2.39
v2.4
v2.40
v2.41
v2.42
v2.43
v2.44
v2.45
v2.46
v2.47
v2.48
v2.49
v2.5
v2.50
v2.51
v2.52
v2.53
v2.54
v2.55
v2.56
v2.57
v2.58
v2.59
v2.6
v2.60
v2.61
v2.7
v2.8
v2.9
v2.90
v2.90pre
v2.91
v2.92
v2.93
v2.94
v2.95
v2.96
v2.97
v2.98
v2.99
v3.*
v3.0.0
v3.0b1
v3.0b2
v3.0b3
v3.1