CVE-2026-23836

Källa: security-advisories@github.com

CRITICAL

9.9 CVSS Score

EXPLOTATION STATUS & MITIGATIONS

EXPLOIT STATUS

NO KNOWN EXPLOIT

REMEDIATION

PENDING

PÅVERKADE KLIENTER/MJUKVARA

Ingen specifik mjukvaruinformation extraherad.

BESKRIVNING

HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2.

TEKNISK DATA

{
  "id": "CVE-2026-23836",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2026-01-19T18:16:06.147",
  "lastModified": "2026-01-19T18:16:06.147",
  "vulnStatus": "Received",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "CHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h",
      "source": "security-advisories@github.com"
    }
  ]
}

Status

Vuln Status:Received

Publicerad:1/19/2026

Uppdaterad:1/19/2026

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

ÖPPNA I NVD