Cyber Resilience

CVE-2026-25156

High

Published: 30 January 2026

Published
30 January 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0006 19.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25156 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Hotcrp Hotcrp. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-25156 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in HotCRP, an open-source conference review software. It affects versions from October 2025 through January 2026, including development versions and v3.2. The issue stems from these versions delivering documents of all types with inline Content-Disposition headers, causing browsers to render them inline rather than prompting downloads. Intended inline behavior was limited to text/plain, application/pdf, image/gif, image/jpeg, and image/png types, though the save=0 URL parameter could force inline delivery for others. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 on 11 October 2025 and carries a CVSS score of 7.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

An authenticated attacker with low privileges can exploit this by uploading malicious HTML or SVG documents to submission fields with file upload or attachment types, or as attachments to comments. When a victim clicks the document link, their browser renders the content inline in the HotCRP context, executing JavaScript with access to the victim's HotCRP credentials. This enables the script to make arbitrary calls to HotCRP's API on the victim's behalf. PDF upload fields are not vulnerable, and exploitation requires user interaction to click the link.

Mitigation is available via the fixing commit 8933e86c9f384b356dc4c6e9e2814dee1074b323, included in v3.2.1. An additional commit c3d88a7e18d52119c65df31c2cc994edd2beccc5 in v3.2.1 removes support for the save=0 parameter. Security practitioners should upgrade to v3.2.1 or later and consult the GitHub security advisory at GHSA-p88p-2f2p-2476 for full details.

No evidence of exploitation was found in a search of documents uploaded to hotcrp.com.

EU & UK References

Vulnerability details

HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. (The intended behavior was for only `text/plain`,…

more

`application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer’s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fields with “file upload” or “attachment” type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

XSS in public-facing web app (HotCRP) directly enables exploitation of the application over the network (T1190) and browser session hijacking via malicious inline script execution (T1185). The delivered payload is JavaScript executed in the victim's authenticated browser context (T1059.007), allowing arbitrary API actions on the victim's behalf.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23836Same product: Hotcrp Hotcrp
CVE-2025-23722Shared CWE-79
CVE-2025-68874Shared CWE-79
CVE-2025-53231Shared CWE-79
CVE-2026-22524Shared CWE-79
CVE-2025-0521Shared CWE-79
CVE-2025-15440Shared CWE-79
CVE-2025-22766Shared CWE-79
CVE-2026-22867Shared CWE-79
CVE-2025-40587Shared CWE-79

Affected Assets

hotcrp
hotcrp
3.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of uploaded file content and types so that HTML/SVG documents cannot be accepted in submission or comment attachment fields where they would later be rendered inline.

prevent

Requires filtering of all document responses to enforce safe Content-Disposition headers and permitted MIME types, directly blocking the inline execution path used by the XSS payload.

prevent

Deploys malicious-code detection on file uploads that would identify and block HTML/SVG documents containing executable scripts before they are stored and linked.

References