CVE-2026-25156
Published: 30 January 2026
Summary
CVE-2026-25156 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Hotcrp Hotcrp. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-25156 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in HotCRP, an open-source conference review software. It affects versions from October 2025 through January 2026, including development versions and v3.2. The issue stems from these versions delivering documents of all types with inline Content-Disposition headers, causing browsers to render them inline rather than prompting downloads. Intended inline behavior was limited to text/plain, application/pdf, image/gif, image/jpeg, and image/png types, though the save=0 URL parameter could force inline delivery for others. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 on 11 October 2025 and carries a CVSS score of 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
An authenticated attacker with low privileges can exploit this by uploading malicious HTML or SVG documents to submission fields with file upload or attachment types, or as attachments to comments. When a victim clicks the document link, their browser renders the content inline in the HotCRP context, executing JavaScript with access to the victim's HotCRP credentials. This enables the script to make arbitrary calls to HotCRP's API on the victim's behalf. PDF upload fields are not vulnerable, and exploitation requires user interaction to click the link.
Mitigation is available via the fixing commit 8933e86c9f384b356dc4c6e9e2814dee1074b323, included in v3.2.1. An additional commit c3d88a7e18d52119c65df31c2cc994edd2beccc5 in v3.2.1 removes support for the save=0 parameter. Security practitioners should upgrade to v3.2.1 or later and consult the GitHub security advisory at GHSA-p88p-2f2p-2476 for full details.
No evidence of exploitation was found in a search of documents uploaded to hotcrp.com.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5000
Vulnerability details
HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. (The intended behavior was for only `text/plain`,…
more
`application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer’s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fields with “file upload” or “attachment” type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing web app (HotCRP) directly enables exploitation of the application over the network (T1190) and browser session hijacking via malicious inline script execution (T1185). The delivered payload is JavaScript executed in the victim's authenticated browser context (T1059.007), allowing arbitrary API actions on the victim's behalf.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of uploaded file content and types so that HTML/SVG documents cannot be accepted in submission or comment attachment fields where they would later be rendered inline.
Requires filtering of all document responses to enforce safe Content-Disposition headers and permitted MIME types, directly blocking the inline execution path used by the XSS payload.
Deploys malicious-code detection on file uploads that would identify and block HTML/SVG documents containing executable scripts before they are stored and linked.