A critical vulnerability has been identified in the HotCRP conference review software, designated CVE-2026-23836. This flaw allows an attacker to execute arbitrary code on the server by submitting a specially crafted formula, potentially leading to a complete system compromise, data theft, and service disruption. Organizations using the affected software are strongly advised to apply the available patch immediately to mitigate this high-risk threat.

The vulnerability exists due to inadequately sanitized code generation related to the "HotCRP formulas" feature. The software fails to properly validate and clean user-supplied input when processing these formulas. An authenticated user can craft a malicious formula containing arbitrary PHP code, which the application will then execute on the server, resulting in a remote code execution (RCE) vulnerability.

This vulnerability is rated as critical severity with a CVSS score of 9.9. Successful exploitation could lead to a complete compromise of the affected server, resulting in a severe loss of confidentiality, integrity, and availability. Potential consequences include the theft of sensitive intellectual property such as unpublished research papers, exposure of confidential reviewer and author identities, unauthorized modification of submission data, and disruption of the conference review process. An attacker could also use the compromised server as a pivot point to launch further attacks against the organization's internal network.

Immediate Action: Immediately update all instances of HotCRP software to the patched version 3.2 or later. After patching, review web server and application access logs for any signs of suspicious activity or exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring on affected systems. Look for unusual or overly complex submissions in the HotCRP formula fields within application logs. Monitor for unexpected processes spawned by the web server user (e.g., www-data, apache) and any suspicious outbound network connections from the server.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block malicious patterns attempting to inject code into formula fields.
• Restrict permissions for creating or editing formulas to a limited set of highly trusted administrative users.
• Implement file integrity monitoring on the web server to detect the creation of unauthorized files or backdoors.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization and requires immediate action. Due to the high severity score (9.9), which indicates a low-complexity attack that can be launched remotely, all affected HotCRP instances must be patched to version 3.2 without delay. Although this CVE is not currently listed on the CISA KEV catalog, its critical nature warrants treating it with the highest priority, as it is a prime target for exploitation.