VYPR
Unrated severityOSV Advisory· Published Jan 19, 2026· Updated Jan 20, 2026

HotCRP vulnerable to exposure of submitted documents

CVE-2026-23878

Description

HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Kohler/HotcrpOSV2 versions
    SITE_HotNetsV, v2.0, v2.0b1, …+ 1 more
    • (no CPE)range: SITE_HotNetsV, v2.0, v2.0b1, …
    • (no CPE)range: >= aa20ef288828b04550950cf67c831af8a525f508 and < ceacd5f1476458792c44c6a993670f02c984b4a0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.