{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23836", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T15:46:40.841Z", "datePublished": "2026-01-19T18:06:04.928Z", "dateUpdated": "2026-01-20T21:40:24.493Z"}, "containers": {"cna": {"title": "HotCRP vulnerable to remote code execution through formulas", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h"}, {"name": "https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9", "tags": ["x_refsource_MISC"], "url": "https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9"}, {"name": "https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834", "tags": ["x_refsource_MISC"], "url": "https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834"}], "affected": [{"vendor": "kohler", "product": "hotcrp", "versions": [{"version": "= 3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T18:06:04.928Z"}, "descriptions": [{"lang": "en", "value": "HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2."}], "source": {"advisory": "GHSA-hpqh-j6qx-x57h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T21:40:18.179013Z", "id": "CVE-2026-23836", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T21:40:24.493Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23836", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-20T21:40:18.179013Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T21:40:22.096Z"}}], "cna": {"title": "HotCRP vulnerable to remote code execution through formulas", "source": {"advisory": "GHSA-hpqh-j6qx-x57h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kohler", "product": "hotcrp", "versions": [{"status": "affected", "version": "= 3.1"}]}], "references": [{"url": "https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h", "name": "https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9", "name": "https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834", "name": "https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T18:06:04.928Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23836", "state": "PUBLISHED", "dateUpdated": "2026-01-20T21:40:24.493Z", "dateReserved": "2026-01-16T15:46:40.841Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T18:06:04.928Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hotcrp:hotcrp:*:*:*:*:*:*:*:*", "matchCriteriaId": "B96A133C-9FF9-4749-9340-E21E8FBB2A13", "versionEndExcluding": "3.2", "versionStartIncluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2."}], "id": "CVE-2026-23836", "lastModified": "2026-02-18T16:01:00.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-19T18:16:06.147", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:51:34.926449+00:00", "value": {"mitigation_remediation": ["Upgrade HotCRP to version 3.2 or later.", "If immediate upgrade cannot be performed, restrict or disable the formula editing feature to prevent code injection.", "Verify that all users with formula creation privileges are legitimate and monitor for abnormal activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected vendor: Kohler HotCRP (conference review software). The vulnerability exists in all 3.1 releases that include the April 2024 patch, and is resolved starting with release version 3.2. No other product versions are listed as impacted, but any installation running HotCRP 3.1 or earlier is potentially vulnerable.", "description_and_impact": "HotCRP's formula engine was compromised by a missing sanitization step introduced in April 2024 that caused PHP code generated from user supplied formulas to run unfiltered. The flaw allows an attacker with formula creation rights to inject and execute arbitrary PHP code on the server, leading to full compromise of the HotCRP instance, including theft of credentials, data exfiltration, or modification of reviews.", "risk_and_exploitability": "The CVSS base score is 10, indicating maximum severity. The EPSS score is below 1%, suggesting exploitation probability is currently very low. The vulnerability is not present in the CISA KEV catalog. Likely exploitation requires the attacker to create or edit a formula through the web UI, which usually requires at least reviewer or author rights, so the attack vector is remote via the web interface from an authenticated user with formula privileges."}}}}, "created": "2026-01-20T08:40:31.309989+00:00", "updated": "2026-04-18T16:00:04.284822+00:00", "vendors": ["hotcrp", "hotcrp$PRODUCT$hotcrp"]}