Cyanpencil

**Name of the Vulnerable Software and Affected Versions** HotCRP version 3.1 **Description** HotCRP is conference review software. A flaw introduced in April 2024 in version 3.1 allows users to trigger the execution of arbitrary PHP code due to inadequately sanitized code generation for HotCRP formulas. The issue grants remote code execution with user privileges. **Recommendations** Update HotCRP to version 3.2.