GHSA-9PR4-RF97-79QH Note Mark has Stored XSS via Unrestricted Asset Upload

Summary A stored same-origin XSS vulnerability allows any authenticated user to upload an HTML, SVG, or XHTML file as a note asset and have it executed in a victim’s browser under the application’s origin. Because the application serves these files inline without a safe content type and without...

CVE-2026-25156

HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. The intended behavior was for only text/plain, application/pdf,...

CVE-2026-25156 HotCRP vulnerable to stored XSS via comment attachments

HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. The intended behavior was for only text/plain, application/pdf,...

CVE-2026-25156

HotCRP (versions 2025-10 to 2026-01) delivered inline content for all document types due to Content-Disposition handling, allowing HTML/SVG to render in the browser with HotCRP credentials and potential API access. Root cause: a commit introduced this behavior; it affected development versions an...