CVE-2026-25156 is a cross-site scripting vulnerability categorized under CWE-79, affecting HotCRP version 3.2, a widely used conference review management software. The vulnerability was introduced in October 2025 due to improper handling of Content-Disposition headers when delivering uploaded documents. HotCRP versions from October 2025 through January 2026 allowed all document types to be rendered inline in users’ browsers rather than forcing downloads, contrary to the intended behavior which restricted inline rendering to specific MIME types like text/plain, PDF, and common image formats. This flaw enables an attacker to upload malicious HTML or SVG files via submission fields that accept file uploads or attachments (excluding PDF upload fields). When a user clicks on such a malicious document link, the embedded JavaScript executes in the context of the HotCRP web application, granting access to the user’s session credentials. This can lead to unauthorized API calls, data exfiltration, or manipulation of conference review data. The vulnerability requires the attacker to have the ability to upload files and the victim to interact by clicking the malicious link, with some level of user privileges (PR:L). The issue was fixed in HotCRP version 3.2.1 by restricting inline delivery and removing support for the save=0 URL parameter that forced inline rendering. No evidence of exploitation in the wild has been found after scanning hotcrp.com. The CVSS 3.1 score of 7.3 reflects a high severity due to the potential for credential theft and API misuse, with network attack vector, low complexity, and user interaction required.

For European organizations, especially academic institutions, research centers, and conference organizers using HotCRP 3.2, this vulnerability poses significant risks. Successful exploitation can lead to theft of user credentials, unauthorized access to sensitive review data, manipulation of conference submissions, and potential disruption of the peer review process. Confidentiality and integrity of sensitive academic data are at risk, which could undermine trust in conference management and affect reputations. The vulnerability requires user interaction and some privileges, limiting mass exploitation but still posing a targeted threat. Given the collaborative nature of academic conferences in Europe, attackers could leverage this flaw to gain footholds in networks or conduct espionage. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities post-disclosure. Organizations failing to patch or restrict upload capabilities remain vulnerable to targeted phishing or social engineering attacks involving malicious document links.

European organizations should immediately upgrade HotCRP installations from version 3.2 to 3.2.1 or later, which contains the fix for this vulnerability. Until patching is possible, restrict file upload permissions to trusted users only and disable or tightly control the types of files allowed for upload, explicitly blocking HTML, SVG, and other executable content types. Implement Content Security Policy (CSP) headers to limit script execution and reduce the impact of potential XSS attacks. Educate users to avoid clicking on suspicious document links within the HotCRP environment. Monitor logs for unusual API calls or user behavior that could indicate exploitation attempts. Regularly audit uploaded documents for suspicious content and consider integrating malware scanning for uploaded files. Finally, review and remove support for the save=0 URL parameter if still in use, as it facilitates inline rendering of arbitrary documents.