CVE-2026-23836 CRITICAL

CVE-2026-23836: HotCRP vulnerable to remote code execution through formulas

Vendor Kohler
Product hotcrp
Weakness CWE-20 · Input validation
Published January 19, 2026
Last update January 20, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2.

Key dates

02Disclosure timeline

January 19, 2026 CVE published
January 20, 2026 Record updated