PT-2026-3476 · Hotcrp · Hotcrp

Cyanpencil

Published

2026-01-19

Updated

2026-01-21

CVE-2026-23836

CVSS v3.1

9.9

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions HotCRP version 3.1

Description HotCRP is conference review software. A flaw introduced in April 2024 in version 3.1 allows users to trigger the execution of arbitrary PHP code due to inadequately sanitized code generation for HotCRP formulas. The issue grants remote code execution with user privileges.

Recommendations Update HotCRP to version 3.2.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2026-23836

GHSA-HPQH-J6QX-X57H

Affected Products

Hotcrp

PT-2026-3476 · Hotcrp · Hotcrp

CVE-2026-23836

Weakness Enumeration

Related Identifiers

Affected Products

References · 11