CVE-2026-25156 (GCVE-0-2026-25156)

Vulnerability from cvelistv5 – Published: 2026-01-30 22:11 – Updated: 2026-02-02 17:42
VLAI?
Title
HotCRP vulnerable to stored XSS via comment attachments
Summary
HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer’s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fields with “file upload” or “attachment” type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`.
Severity ?
7.3 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
kohler hotcrp Affected: = 3.2
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25156",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-02T17:42:28.607856Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-02T17:42:38.247Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "hotcrp",
          "vendor": "kohler",
          "versions": [
            {
              "status": "affected",
              "version": "= 3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user\u2019s browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer\u2019s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP\u2019s API. Malicious documents could be uploaded to submission fields with \u201cfile upload\u201d or \u201cattachment\u201d type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-30T22:11:35.480Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kohler/hotcrp/security/advisories/GHSA-p88p-2f2p-2476",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kohler/hotcrp/security/advisories/GHSA-p88p-2f2p-2476"
        },
        {
          "name": "https://github.com/kohler/hotcrp/commit/8933e86c9f384b356dc4c6e9e2814dee1074b323",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kohler/hotcrp/commit/8933e86c9f384b356dc4c6e9e2814dee1074b323"
        },
        {
          "name": "https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508"
        },
        {
          "name": "https://github.com/kohler/hotcrp/commit/c3d88a7e18d52119c65df31c2cc994edd2beccc5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kohler/hotcrp/commit/c3d88a7e18d52119c65df31c2cc994edd2beccc5"
        }
      ],
      "source": {
        "advisory": "GHSA-p88p-2f2p-2476",
        "discovery": "UNKNOWN"
      },
      "title": "HotCRP vulnerable to stored XSS via comment attachments"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25156",
    "datePublished": "2026-01-30T22:11:35.480Z",
    "dateReserved": "2026-01-29T15:39:11.822Z",
    "dateUpdated": "2026-02-02T17:42:38.247Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25156\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-30T23:16:12.333\",\"lastModified\":\"2026-02-19T15:10:01.723\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user\u2019s browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer\u2019s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP\u2019s API. Malicious documents could be uploaded to submission fields with \u201cfile upload\u201d or \u201cattachment\u201d type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`.\"},{\"lang\":\"es\",\"value\":\"HotCRP es un software de revisi\u00f3n de conferencias. Las versiones de HotCRP desde octubre de 2025 hasta enero de 2026 entregaron documentos de todo tipo con Content-Disposition en l\u00ednea, haciendo que se renderizaran en el navegador del usuario en lugar de descargarse. (El comportamiento previsto era que solo \u0027text/plain\u0027, \u0027application/pdf\u0027, \u0027image/gif\u0027, \u0027image/jpeg\u0027 e \u0027image/png\u0027 se entregaran en l\u00ednea, aunque a\u00f1adir \u0027save=0\u0027 a la URL del documento pod\u00eda solicitar la entrega en l\u00ednea para cualquier documento.) Esto hizo que los usuarios que hac\u00edan clic en un enlace de documento fueran vulnerables a ataques de cross-site scripting. Un documento HTML o SVG subido se ejecutar\u00eda en el navegador del visor con acceso a sus credenciales de HotCRP, y Javascript en ese documento podr\u00eda eventualmente hacer llamadas arbitrarias a la API de HotCRP. Los documentos maliciosos pod\u00edan subirse a campos de env\u00edo con tipo \u0027carga de archivo\u0027 o \u0027adjunto\u0027, o como adjuntos a comentarios. Los campos de carga de PDF no eran vulnerables. Una b\u00fasqueda de documentos subidos a hotcrp.com no encontr\u00f3 evidencia de explotaci\u00f3n. La vulnerabilidad fue introducida en el commit aa20ef288828b04550950cf67c831af8a525f508 (11 de octubre de 2025), presente en versiones de desarrollo y v3.2, y corregida en el commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 y v3.2.1. Adem\u00e1s, c3d88a7e18d52119c65df31c2cc994edd2beccc5 y v3.2.1 eliminan el soporte para \u0027save=0\u0027.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hotcrp:hotcrp:3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"951E87E4-238E-4EE1-8FA7-8FDD84D94F85\"}]}]}],\"references\":[{\"url\":\"https://github.com/kohler/hotcrp/commit/8933e86c9f384b356dc4c6e9e2814dee1074b323\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kohler/hotcrp/commit/c3d88a7e18d52119c65df31c2cc994edd2beccc5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/kohler/hotcrp/security/advisories/GHSA-p88p-2f2p-2476\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25156\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-02T17:42:28.607856Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-02T17:42:34.697Z\"}}], \"cna\": {\"title\": \"HotCRP vulnerable to stored XSS via comment attachments\", \"source\": {\"advisory\": \"GHSA-p88p-2f2p-2476\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"kohler\", \"product\": \"hotcrp\", \"versions\": [{\"status\": \"affected\", \"version\": \"= 3.2\"}]}], \"references\": [{\"url\": \"https://github.com/kohler/hotcrp/security/advisories/GHSA-p88p-2f2p-2476\", \"name\": \"https://github.com/kohler/hotcrp/security/advisories/GHSA-p88p-2f2p-2476\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/kohler/hotcrp/commit/8933e86c9f384b356dc4c6e9e2814dee1074b323\", \"name\": \"https://github.com/kohler/hotcrp/commit/8933e86c9f384b356dc4c6e9e2814dee1074b323\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508\", \"name\": \"https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/kohler/hotcrp/commit/c3d88a7e18d52119c65df31c2cc994edd2beccc5\", \"name\": \"https://github.com/kohler/hotcrp/commit/c3d88a7e18d52119c65df31c2cc994edd2beccc5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user\\u2019s browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer\\u2019s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP\\u2019s API. Malicious documents could be uploaded to submission fields with \\u201cfile upload\\u201d or \\u201cattachment\\u201d type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-30T22:11:35.480Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25156\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-02T17:42:38.247Z\", \"dateReserved\": \"2026-01-29T15:39:11.822Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-30T22:11:35.480Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.