Cyber Posture

CVE-2026-25156

High

Published: 30 January 2026

Published
30 January 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0004 13.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25156 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Hotcrp Hotcrp. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing
addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

SI-10 Information Input Validation
addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

SI-15 Information Output Filtering
addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

XSS in public-facing web app (HotCRP) directly enables exploitation of the application over the network (T1190) and browser session hijacking via malicious inline script execution (T1185). The delivered payload is JavaScript executed in the victim's authenticated browser context (T1059.007), allowing arbitrary API actions on the victim's behalf.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. (The intended behavior was for only `text/plain`,…

more

`application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer’s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fields with “file upload” or “attachment” type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`.

Deeper analysisAI

CVE-2026-25156 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in HotCRP, an open-source conference review software. It affects versions from October 2025 through January 2026, including development versions and v3.2. The issue stems from these versions delivering documents of all types with inline Content-Disposition headers, causing browsers to render them inline rather than prompting downloads. Intended inline behavior was limited to text/plain, application/pdf, image/gif, image/jpeg, and image/png types, though the save=0 URL parameter could force inline delivery for others. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 on 11 October 2025 and carries a CVSS score of 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

An authenticated attacker with low privileges can exploit this by uploading malicious HTML or SVG documents to submission fields with file upload or attachment types, or as attachments to comments. When a victim clicks the document link, their browser renders the content inline in the HotCRP context, executing JavaScript with access to the victim's HotCRP credentials. This enables the script to make arbitrary calls to HotCRP's API on the victim's behalf. PDF upload fields are not vulnerable, and exploitation requires user interaction to click the link.

Mitigation is available via the fixing commit 8933e86c9f384b356dc4c6e9e2814dee1074b323, included in v3.2.1. An additional commit c3d88a7e18d52119c65df31c2cc994edd2beccc5 in v3.2.1 removes support for the save=0 parameter. Security practitioners should upgrade to v3.2.1 or later and consult the GitHub security advisory at GHSA-p88p-2f2p-2476 for full details.

No evidence of exploitation was found in a search of documents uploaded to hotcrp.com.

Details

CWE(s)
CWE-79

Affected Products

hotcrp
hotcrp
3.2

CVEs Like This One

CVE-2026-23836Same product: Hotcrp Hotcrp
CVE-2025-27405Shared CWE-79
CVE-2025-69096Shared CWE-79
CVE-2025-15440Shared CWE-79
CVE-2026-22524Shared CWE-79
CVE-2026-4803Shared CWE-79
CVE-2025-40587Shared CWE-79
CVE-2026-26930Shared CWE-79
CVE-2025-23998Shared CWE-79
CVE-2025-23722Shared CWE-79

References