Description
HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

HUSTOJ, an open‑source online judge, contains an arbitrary file write flaw caused by Zip Slip in the problem_import_qduoj.php and problem_import_hoj.php modules. Attackers can craft a ZIP archive with path traversal entries (e.g., ../../shell.php). When the server extracts the archive, it writes files to arbitrary locations within the web root, allowing the execution of attacker‑supplied code and full compromise of the host. This vulnerability is a classic path‑traversal weakness as identified by CWE‑22.

Affected Systems

The issue affects all installations of HUSTOJ from versions prior to 26.01.24. The vendor implemented a fix in release 26.01.24, which removes the failure to sanitize filenames in ZIP uploads. Users running older versions are vulnerable until they upgrade.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity. While the EPSS score is less than 1 %, implying a low current exploitation probability, the resulting remote code execution outage warrants high vigilance. The attack vector is remote: an adversary uploads a malicious ZIP file to the import modules, triggering the path traversal during extraction. The lack of a KEV listing does not diminish the risk; the vulnerability remains actionable and should be patched promptly.

Generated by OpenCVE AI on April 18, 2026 at 02:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HUSTOJ to version 26.01.24 or later to apply the path traversal fix.
  • Restrict or disable the problem_import_qduoj.php and problem_import_hoj.php import modules for users who do not need them.
  • Configure the application to validate and sanitize filenames from ZIP archives, rejecting any path traversal sequences such as ../../ before extracting.

Generated by OpenCVE AI on April 18, 2026 at 02:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:hustoj:hustoj:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 27 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Hustoj
Hustoj hustoj
Vendors & Products Hustoj
Hustoj hustoj

Tue, 27 Jan 2026 01:00:00 +0000

Type Values Removed Values Added
Description HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue.
Title HUSTOJ has Arbitrary File Write (Zip Slip) in Problem Import Modules that leads to RCE
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hustoj Hustoj
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T14:42:04.040Z

Reserved: 2026-01-23T00:38:20.547Z

Link: CVE-2026-24479

cve-icon Vulnrichment

Updated: 2026-01-27T14:41:58.821Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-27T01:16:02.017

Modified: 2026-03-02T21:32:57.010

Link: CVE-2026-24479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:45:27Z

Weaknesses