Critical Severity Vulnerability
This vulnerability has been rated as Critical severity. Immediate action is recommended.
CVE-2026-23836
Critical
Low
Medium
High
Critical
9.9
CVSS Score
Published: Jan 19, 2026
Last Modified: Jan 19, 2026
Vulnerability Description
HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
N
Attack Complexity
L
Privileges Required
L
User Interaction
N
Scope
C
Confidentiality
H
Integrity
H
Availability
H
References & Resources
-
https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9security-advisories@github.com
-
https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834security-advisories@github.com
-
https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57hsecurity-advisories@github.com
Severity Details
9.9
out of 10.0
Critical
Key Information
- Published Date
- January 19, 2026
