cvedb.io
CVE-2026-25156
HIGH · CVSS 7.3
EPSS exploitation probability: 0%
Published 2026-01-30T23:16:12.333 · Last modified 2026-06-17T10:24:12.427

Summary

HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer’s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fiel

Affected products

hotcrp — hotcrp

Does this affect you?

Add your gear to cvedb and we'll alert you only when hotcrp ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.