CVE-2026-25156

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25156

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25156.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25156

Aliases

GHSA-p88p-2f2p-2476

Published

2026-01-30T22:11:35.480Z

Modified

2026-02-04T21:34:03.253098Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

HotCRP vulnerable to stored XSS via comment attachments

Details

HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. (The intended behavior was for only text/plain, application/pdf, image/gif, image/jpeg, and image/png to be delivered inline, though adding save=0 to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer’s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fields with “file upload” or “attachment” type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for save=0.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25156.json"
}

References

Affected packages

Git / github.com/kohler/hotcrp

Affected ranges

Type: GIT
Repo: https://github.com/kohler/hotcrp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c3d88a7e18d52119c65df31c2cc994edd2beccc5

Affected versions

Other

SITE_HotNetsV

v2.*

v2.0

v2.0b1

v2.0b2

v2.0b3

v2.0b4

v2.0b5

v2.0b6

v2.0b7

v2.0b8

v2.0b9

v2.1

v2.10

v2.100

v2.101

v2.102

v2.11

v2.12

v2.13

v2.14

v2.15

v2.16

v2.17

v2.18

v2.19

v2.2

v2.20

v2.21

v2.22

v2.24

v2.25

v2.26

v2.27

v2.28

v2.29

v2.3

v2.30

v2.31

v2.32

v2.33

v2.34

v2.35

v2.36

v2.37

v2.38

v2.39

v2.4

v2.40

v2.41

v2.42

v2.43

v2.44

v2.45

v2.46

v2.47

v2.48

v2.49

v2.5

v2.50

v2.51

v2.52

v2.53

v2.54

v2.55

v2.56

v2.57

v2.58

v2.59

v2.6

v2.60

v2.61

v2.7

v2.8

v2.9

v2.90

v2.90pre

v2.91

v2.92

v2.93

v2.94

v2.95

v2.96

v2.97

v2.98

v2.99

v3.*

v3.0.0

v3.0b1

v3.0b2

v3.0b3

v3.1

v3.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25156.json"