CVE-2026-23878 - HotCRP vulnerable to exposure of submitted documents

CVE ID : CVE-2026-23878 Published : Jan. 19, 2026, 7:16 p.m. | 1 hour, 6 minutes ago Description : HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...