CVE-2026-25156 is a cross-site scripting vulnerability (CWE-79) found in HotCRP, a widely used conference review software. The issue stems from improper neutralization of input during web page generation, specifically in the handling of document delivery. Versions from October 2025 through January 2026 (notably version 3.2) allowed all document types to be delivered inline in the browser due to an unintended behavior with Content-Disposition headers. While the intended behavior was to restrict inline rendering to safe MIME types such as text/plain, application/pdf, and common image formats, the software permitted HTML and SVG documents to be rendered inline if uploaded. This enabled attackers to upload malicious HTML or SVG files via submission fields that accept file uploads or attachments (excluding PDF upload fields). When a user clicks on such a malicious document link, the embedded JavaScript executes in the context of the HotCRP web application, granting access to the user's HotCRP credentials and enabling arbitrary API calls. This elevates the risk of session hijacking, data manipulation, or unauthorized actions within HotCRP. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 on October 11, 2025, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and version 3.2.1, which also removed support for the 'save=0' URL parameter that allowed inline rendering requests. A search of documents uploaded to hotcrp.com found no evidence of exploitation in the wild. The CVSS v3.1 base score is 7.3 (high), reflecting network attack vector, low attack complexity, requiring privileges and user interaction, with high impact on confidentiality and integrity but no impact on availability.

For European organizations using HotCRP 3.2, especially academic institutions, research organizations, and conference organizers, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive review data and user credentials. Exploitation could lead to unauthorized access to confidential submissions, manipulation of review outcomes, or disclosure of personal information of reviewers and authors. The ability to perform arbitrary API calls could further allow attackers to escalate privileges or disrupt conference workflows. Given the collaborative and international nature of academic conferences in Europe, such a compromise could damage reputations, violate data protection regulations like GDPR, and disrupt critical research dissemination processes. Although no known exploitation has been reported, the ease of exploitation via user interaction and the widespread use of HotCRP in European academic circles heighten the threat. The vulnerability does not affect availability directly but could indirectly impact service trust and continuity.

European organizations should immediately upgrade HotCRP installations from version 3.2 to version 3.2.1 or later, where the vulnerability is patched and the 'save=0' inline rendering feature is removed. Until the upgrade is applied, administrators should restrict file upload types to exclude HTML and SVG formats and disable inline rendering of documents except for explicitly safe MIME types. Implement strict content security policies (CSP) to limit script execution from uploaded documents. Educate users to avoid clicking on suspicious document links within HotCRP. Regularly audit uploaded files for unauthorized content types and monitor API usage for anomalous behavior. Additionally, review and tighten user privileges to minimize the impact of compromised credentials. Employ web application firewalls (WAF) with rules targeting XSS payloads in document uploads. Finally, maintain up-to-date backups and incident response plans tailored to web application compromises.