CVE-2026-25156

Name of the Vulnerable Software and Affected Versions HotCRP versions October 2025 through January 2026

Description HotCRP is conference review software. Versions between October 2025 and January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser instead of being downloaded. This behavior was intended only for text/plain, application/pdf, image/gif, image/jpeg, and image/png files. However, adding save=0 to the document URL could request inline delivery for any document. This made users vulnerable to cross-site scripting attacks when clicking a document link. Uploaded HTML or SVG documents could run in the viewer’s browser with access to their HotCRP credentials, allowing Javascript within those documents to make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fields with “file upload” or “attachment” type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The issue was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323.

Recommendations Update to HotCRP version 3.2.1 or later.