HotCRP Cross-Site Scripting Vulnerability via Comment Attachments

A cross-site scripting vulnerability has been identified in HotCRP, a conference review software, affecting versions from October 2025 to January 2026. The issue arises because these versions delivered documents with inline Content-Disposition, causing them to be rendered in the user's browser instead of being downloaded. This behavior allowed uploaded HTML or SVG documents to execute scripts in the viewer's browser, potentially accessing their HotCRP credentials and making arbitrary calls to HotCRP's API. The vulnerability could be exploited by uploading malicious documents to submission fields with 'file upload' or 'attachment' types, or as comment attachments. PDF upload fields were not vulnerable.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker could upload a malicious document that executes JavaScript in the context of the user's HotCRP session.

Reproduction

To reproduce this vulnerability, upload a malicious HTML or SVG document to a submission field that accepts file uploads or as an attachment to a comment. Then, access the document through the HotCRP interface, which will trigger the execution of the embedded JavaScript.

Remediation

Users can update to HotCRP version 3.2.1, which addresses this vulnerability by correcting the Content-Disposition handling for documents.