Unrated severityOSV Advisory· Published Jan 27, 2026· Updated Jan 27, 2026

HUSTOJ has Arbitrary File Write (Zip Slip) in Problem Import Modules that leads to RCE

CVE-2026-24479

Description

HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue.

Affected products

Zhblue/HustojOSV
Range: 100judges, 15.12, 16.05, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/zhblue/hustoj/commit/902bd09e6d0011fe89cd84d4236899314b33101fmitrex_refsource_MISC
github.com/zhblue/hustoj/security/advisories/GHSA-xmgg-2rw4-7fxjmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.045
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000