CVE-2026-25156 Overview
CVE-2026-25156 is a Cross-Site Scripting (XSS) vulnerability in HotCRP, an open-source conference review software widely used by academic and research communities. The vulnerability stems from improper handling of Content-Disposition headers, causing uploaded documents to be rendered inline in users' browsers rather than being downloaded. This behavior allows attackers to upload malicious HTML or SVG files that execute JavaScript in the context of the victim's authenticated HotCRP session.
Critical Impact
Attackers can upload malicious HTML or SVG documents that execute JavaScript with access to the victim's HotCRP credentials, enabling arbitrary API calls and potential account compromise.
Affected Products
- HotCRP versions from October 2025 through January 2026
- HotCRP v3.2 (prior to v3.2.1)
- HotCRP development versions containing commit aa20ef288828b04550950cf67c831af8a525f508
Discovery Timeline
- 2026-01-30 - CVE CVE-2026-25156 published to NVD
- 2026-02-03 - Last updated in NVD database
Technical Details for CVE-2026-25156
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in how HotCRP handles document delivery to users. Under normal, secure operation, only specific safe MIME types (text/plain, application/pdf, image/gif, image/jpeg, and image/png) should be served with inline Content-Disposition headers. However, the vulnerable versions incorrectly delivered all document types inline, causing browsers to render potentially dangerous content types such as HTML and SVG files.
When a victim clicks on a link to a maliciously crafted document, their browser renders the content within the HotCRP domain context. This grants the malicious script access to the user's session cookies, authentication tokens, and the ability to make authenticated API requests on behalf of the victim.
Root Cause
The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (dated 11 October 2025). This commit inadvertently changed the document delivery behavior to serve all file types with inline Content-Disposition, bypassing the intended whitelist of safe MIME types. Additionally, the save=0 URL parameter could be used to explicitly request inline delivery for any document type, further expanding the attack surface.
Attack Vector
The attack requires network access and targets authenticated HotCRP users. An attacker with at least low-level privileges (such as a paper author or reviewer) can upload a malicious document containing JavaScript code. This can be accomplished through:
- Submission fields configured with "file upload" or "attachment" type
- Comment attachments
When another user (particularly one with higher privileges such as a program committee chair) clicks on the malicious document link, the JavaScript executes in their browser session. The attack requires user interaction (clicking the document link), but given the collaborative nature of conference review systems where reviewers routinely open submitted documents, exploitation is straightforward.
The malicious script can then harvest credentials, modify paper reviews, access confidential submission data, or perform administrative actions depending on the victim's role. Notably, PDF upload fields were not vulnerable to this attack.
A search of documents uploaded to hotcrp.com found no evidence of exploitation in the wild.
Detection Methods for CVE-2026-25156
Indicators of Compromise
- Unusual HTML or SVG file uploads in submission or comment attachment fields
- Server logs showing document access patterns followed by unexpected API calls
- User reports of unexpected behavior after clicking document links
- Documents with embedded JavaScript or suspicious <script> tags in non-PDF attachments
Detection Strategies
- Review uploaded documents for HTML, SVG, or other executable content types in attachment fields
- Monitor API access logs for unusual activity patterns following document downloads
- Audit Content-Disposition headers in HTTP responses to verify proper attachment disposition for non-whitelisted MIME types
- Scan existing document uploads for potentially malicious content
Monitoring Recommendations
- Implement file type validation and content scanning for uploaded documents
- Monitor for requests containing the save=0 parameter in document URLs
- Set up alerts for suspicious sequences of document access followed by privileged API operations
- Review access logs for patterns indicating credential theft or session hijacking
How to Mitigate CVE-2026-25156
Immediate Actions Required
- Upgrade HotCRP to version v3.2.1 or later immediately
- Review recently uploaded documents for suspicious HTML or SVG content
- Audit user activity logs for signs of exploitation
- Consider temporarily restricting file upload capabilities until patched
Patch Information
The vulnerability has been fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and HotCRP version v3.2.1. This patch restores proper Content-Disposition handling, ensuring only whitelisted safe MIME types are served inline. Additionally, commit c3d88a7e18d52119c65df31c2cc994edd2beccc5 (also included in v3.2.1) removes support for the save=0 URL parameter that could override content delivery settings. For detailed information, see the GitHub Security Advisory.
Workarounds
- Restrict file upload permissions to trusted users only until the patch can be applied
- Implement a web application firewall (WAF) rule to force download disposition for all document requests
- Configure reverse proxy to override Content-Disposition headers for non-whitelisted MIME types
- Block or filter requests containing the save=0 parameter at the web server level
# Example nginx configuration to force download for non-safe content types
location /doc/ {
# Force attachment disposition for potentially dangerous file types
if ($upstream_http_content_type ~* "text/html|image/svg") {
add_header Content-Disposition "attachment" always;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
