Skip to main content

Hotcrp

4 CVEs product

Monthly

CVE-2026-25156 HIGH PATCH This Week

HotCRP conference review software versions from October 2025 through January 2026 improperly render uploaded documents inline in the browser instead of forcing download, allowing malicious HTML or SVG files to execute JavaScript with access to user credentials and HotCRP API permissions. Attackers can exploit this stored XSS vulnerability by uploading crafted documents to submission fields, which then compromise any user who clicks the document link. A patch is available to restrict inline rendering to safe document types.

XSS Hotcrp
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-23878 MEDIUM PATCH This Month

HotCRP is conference review software. [CVSS 6.5 MEDIUM]

Information Disclosure Hotcrp
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23836 CRITICAL PATCH Act Now

HotCRP conference review software version 3.1 has an inadequate input sanitization flaw (CVSS 9.9) that allows authenticated users to execute arbitrary code on the server through crafted submissions.

PHP Hotcrp
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2022-4819 MEDIUM PATCH This Month

A vulnerability was found in HotCRP. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Hotcrp
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.5%
EPSS 0% CVSS 7.3
HIGH PATCH This Week

HotCRP conference review software versions from October 2025 through January 2026 improperly render uploaded documents inline in the browser instead of forcing download, allowing malicious HTML or SVG files to execute JavaScript with access to user credentials and HotCRP API permissions. Attackers can exploit this stored XSS vulnerability by uploading crafted documents to submission fields, which then compromise any user who clicks the document link. A patch is available to restrict inline rendering to safe document types.

XSS Hotcrp
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

HotCRP is conference review software. [CVSS 6.5 MEDIUM]

Information Disclosure Hotcrp
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

HotCRP conference review software version 3.1 has an inadequate input sanitization flaw (CVSS 9.9) that allows authenticated users to execute arbitrary code on the server through crafted submissions.

PHP Hotcrp
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

A vulnerability was found in HotCRP. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Hotcrp
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy