CVE-2026-23836

EPSS 0.39%
Veröffentlicht 19.01.2026 18:06:04
Zuletzt bearbeitet 18.02.2026 16:01:00
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

HotCRP vulnerable to remote code execution through formulas

HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hotcrp ≫ Hotcrp Version >= 3.0 < 3.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.39%	0.308

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h

Patch

Vendor Advisory

https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9

Patch

https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-23836

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-23836

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-23836

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-23836