CVE-2026-25156
📋 TL;DR
HotCRP conference review software versions from October 2025 through January 2026 incorrectly delivered all document types with inline Content-Disposition, causing them to render in browsers instead of downloading. This allows attackers to upload malicious HTML or SVG documents that execute cross-site scripting attacks, potentially compromising user credentials and enabling arbitrary API calls. Users of affected HotCRP versions who click on document links are vulnerable.
💻 Affected Systems
- HotCRP
📦 What is this software?
Hotcrp by Hotcrp
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal HotCRP credentials, hijack user sessions, and make unauthorized API calls to manipulate conference submissions, reviews, or administrative functions, potentially compromising entire conference data.
Likely Case
Attackers upload malicious documents to submission fields or comments, then trick users into clicking links to execute XSS payloads that steal session cookies or credentials.
If Mitigated
With proper input validation and Content-Disposition headers, documents would download instead of rendering, preventing XSS execution even if malicious files are uploaded.
🎯 Exploit Status
Exploitation requires uploading malicious HTML/SVG documents and convincing users to click links. No evidence of exploitation found on hotcrp.com.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.2.1
Vendor Advisory: https://github.com/kohler/hotcrp/security/advisories/GHSA-p88p-2f2p-2476
Restart Required: No
Instructions:
1. Update HotCRP to version 3.2.1 or later. 2. Apply commits 8933e86c9f384b356dc4c6e9e2814dee1074b323 and c3d88a7e18d52119c65df31c2cc994edd2beccc5. 3. Verify Content-Disposition headers now properly force downloads for non-whitelisted file types.
🔧 Temporary Workarounds
Disable inline document rendering
allConfigure web server to force Content-Disposition: attachment for all uploaded documents except text/plain, application/pdf, and image types.
# Apache: Add to .htaccess or virtual host config
<FilesMatch "\.(html|svg|htm)$">
Header set Content-Disposition "attachment"
</FilesMatch>
# Nginx: Add to server block
location ~*\.(html|svg|htm)$ {
add_header Content-Disposition "attachment";
}
Restrict file upload types
allBlock upload of HTML, SVG, and other executable file types at application or server level.
# HotCRP configuration: Modify upload validation to reject dangerous MIME types
# Server-side: Use mod_security or similar to block uploads with Content-Type: text/html, image/svg+xml
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution from uploaded documents.
- Monitor and audit all uploaded documents for HTML/SVG content and investigate suspicious files.
🔍 How to Verify
Check if Vulnerable:
Upload an HTML file with simple alert script to a file upload field, then access the document URL. If it renders in browser and executes script, system is vulnerable.Check Version:
Check HotCRP version in admin interface or review commit history for presence of fix commits.Verify Fix Applied:
After patching, repeat vulnerable test: HTML files should download instead of rendering, and save=0 parameter should no longer work.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML/SVG file uploads to submission or comment attachment fields
- Multiple document access requests with save=0 parameter
- User sessions accessing unexpected document types
Network Indicators:
- HTTP responses with Content-Disposition: inline for non-whitelisted file types
- Upload requests for HTML/SVG files to vulnerable endpoints
SIEM Query:
source="hotcrp_logs" AND (file_extension="html" OR file_extension="svg" OR file_extension="htm") AND action="upload"🔗 References
- https://github.com/kohler/hotcrp/commit/8933e86c9f384b356dc4c6e9e2814dee1074b323
- https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508
- https://github.com/kohler/hotcrp/commit/c3d88a7e18d52119c65df31c2cc994edd2beccc5
- https://github.com/kohler/hotcrp/security/advisories/GHSA-p88p-2f2p-2476
