CNNVD-202601-4972 Information

CNNVD ID

CNNVD-202601-4972

Related CVE

CVE-2026-25156

• CNNVD Published: 2026-01-30

Description (Chinese)

HotCRP Conference Review Software是Eddie Kohler个人开发者的一个软件。用于管理评审过程，尤其是学术会议。 HotCRP Conference Review Software 2025年10月至2026年1月版本存在跨站脚本漏洞，该漏洞源于文档内联交付不当，可能导致跨站脚本攻击，进而允许恶意文档访问用户凭据并调用API。

Description (English)

HotCRP Conference Review Software is a software for Eddie Kohler’s personal developer. To manage the evaluation process, particularly academic meetings. HotCRP Conference Review Southware, October 2025 to January 2026, had a cross-site script loophole, which stemmed from inappropriate delivery within the document and could lead to cross-site script attacks, thus allowing malicious files to access user documents and call API.

Hazard Level

High

Vulnerability Type

跨站脚本

Affected Vendor

个人开发者

Published

2026-01-30

Last Modified

2026-02-24

References

https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508 https://github.com/kohler/hotcrp/security/advisories/GHSA-p88p-2f2p-2476 https://github.com/kohler/hotcrp/commit/c3d88a7e18d52119c65df31c2cc994edd2beccc5 https://github.com/kohler/hotcrp/commit/8933e86c9f384b356dc4c6e9e2814dee1074b323 https://access.redhat.com/security/cve/cve-2026-25156

Patch

https://github.com/kohler/hotcrp