CVE-2026-24479

Critical

Published: 27 January 2026

Published

27 January 2026

Modified

02 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0276 86.1th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file…

containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of ZIP archive filenames to block path traversal sequences during upload and extraction.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of the filename sanitization flaw, such as by patching to version 26.01.24.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables scanning for vulnerabilities like CVE-2026-24479 in the HUSTOJ platform to identify and prioritize remediation.

Security SummaryAI

CVE-2026-24479 is a path traversal vulnerability (CWE-22) in HUSTOJ, an open-source online judge platform based on PHP, C++, MySQL, and Linux, used for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules do not properly sanitize filenames in uploaded ZIP archives. This allows attackers to include files with path traversal sequences, such as ../../shell.php, enabling arbitrary file writes to the web root when the archive is extracted on the server. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers with network access can exploit this issue by crafting and uploading a malicious ZIP file through the affected import modules. Upon server-side extraction, the payload overwrites or creates files in unintended locations, such as the web root, facilitating remote code execution (RCE). No user interaction or privileges are required, making it highly accessible for remote exploitation.

The GitHub security advisory (GHSA-xmgg-2rw4-7fxj) and commit 902bd09e6d0011fe89cd84d4236899314b33101f detail the fix in version 26.01.24, which addresses filename sanitization during ZIP extraction. Security practitioners should upgrade to this version or later and review access to the import endpoints.

Details

CWE(s): CWE-22

Affected Products

hustoj

≤ 26.01.24

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a path traversal in a public-facing web application's ZIP import endpoints, enabling unauthenticated remote arbitrary file writes to the web root for RCE, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/zhblue/hustoj/commit/902bd09e6d0011fe89cd84d4236899314b33101f
Patch · security-advisories@github.com
https://github.com/zhblue/hustoj/security/advisories/GHSA-xmgg-2rw4-7fxj
Vendor Advisory · security-advisories@github.com