Primary

Context

HotCRP Remote Code Execution Vulnerability in Formulas

Vulnerability

Patched

A remote code execution vulnerability has been identified in HotCRP conference review software, specifically in versions 3.0.0 prior to 3.1. The issue arises from inadequately sanitized code generation for HotCRP formulas, which allowed users to execute arbitrary PHP code. This vulnerability was introduced in April 2024, after the initial release of version 3.0.0.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server where HotCRP is running.

Reproduction

The vulnerability can be reproduced by creating a HotCRP formula that includes unsanitized code. When the formula is processed, the injected PHP code will be executed, demonstrating the remote code execution flaw.

Remediation

Users can upgrade to HotCRP version 3.2 to address this vulnerability.

Added: Jan 19, 2026, 6:20 PM

Updated: Jan 19, 2026, 6:20 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

6.4

remediation

7.7

relevance

2.1

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

10.0

exploitability

6.4

remediation

7.7

relevance

2.1

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HotCRP Remote Code Execution Vulnerability in Formulas

Vulnerability

Impact

Reproduction

Remediation

Affected Products

HotCRP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating