Home > Vulnerability Database > CVE-2026-23836

Mend.io Vulnerability Database

CVE-2026-23836

Good to know:

Date: January 19, 2026

HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2.

Severity Score

9.9

Related Resources (5)

Url: https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23836

Url: https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834

Url: https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h

Url: https://www.mend.io/vulnerability-database/CVE-2026-23836

Severity Score

9.9

Weakness Type (CWE)

Improper Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version https://github.com/kohler/hotcrp.git - v3.2

Learn More

CVSS v3.1

Base Score:	9.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23836

Good to know:

Date: January 19, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?