CVE-2026-24479
published 2026-01-27CVE-2026-24479: HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and…
PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.90%
94.0th percentile
HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hustoj | hustoj | < 26.01.24 | 26.01.24 |
| zhblue | hustoj | < 26.01.24 | 26.01.24 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/oxagast/oxasploits/blob/JoshuaJohnWard/exploits/CVE-2026-24479/hustoj_problem_import_rce.rb↗
- →Detect multipart/form-data POST requests to /admin/problem_import_qduoj.php or /admin/problem_import_hoj.php containing ZIP archives with path traversal sequences (../) in filenames. ↗
- →Alert on creation of .php files outside expected upload directories (e.g., written to web root /home/judge/src/web/) following a ZIP extraction event on HUSTOJ. ↗
- →Monitor for HTTP GET requests to newly created .php files in the HUSTOJ web root immediately after a ZIP upload to the problem import endpoint, indicative of shell triggering. ↗
- →Detect presence of cleanup-msf.php in the HUSTOJ web root (/home/judge/src/web/cleanup-msf.php) as an artifact of Metasploit exploitation. ↗
- →Check for outbound reverse TCP connections (default LPORT 4444) from the web server process following a problem import ZIP upload, consistent with meterpreter_reverse_tcp payload execution. ↗
- →Inspect ZIP archive entries at upload time for filenames containing '../' traversal sequences; the Metasploit module uses a configurable traversal depth (default 6 levels: '../../../../../../'). ↗
- →Monitor for ELF binary drops to /tmp/ from the web server process, as the exploit writes the meterpreter ELF payload to /tmp/<dropfile>-<rand_tag>. ↗
- →Detect sequential GET requests to /csrf.php followed by a POST to /login.php with MD5-hashed password field, then POST to /admin/problem_import_qduoj.php — this is the full exploit authentication and upload chain. ↗
- ·Exploitation requires authenticated admin credentials; the vulnerability is not unauthenticated. Detection should account for the login sequence preceding the malicious upload. ↗
- ·The Metasploit module's traversal depth is configurable (traverse_limit option, default 6), so the number of '../' sequences in ZIP entry names will vary between exploit attempts. ↗
- ·The dropped PHP shell filename includes a random 5-hex-character tag (rand_tag), making static filename-based detection insufficient; pattern-based detection (e.g., regex on web root for new .php files) is required. ↗
- ·The patch strips '../' from filenames server-side; verify the fix is applied by confirming HUSTOJ version 26.01.24 or later is running. ↗
- ·Both problem_import_qduoj.php and problem_import_hoj.php are vulnerable import endpoints; detection and patching must cover both modules. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Exploit-DB
HUSTOJ Zip-Slip v26.01.24 - RCE
exploitdb·2026-04-30·CVSS 9.3
CVE-2026-24479 [CRITICAL] HUSTOJ Zip-Slip v26.01.24 - RCE
HUSTOJ Zip-Slip v26.01.24 - RCE
---
# Exploit Title: HUSTOJ Zip-Slip v26.01.24 - RCE
# Date: 2026-02-14
# Exploit Author: Marshall Whittaker / oxagast
# Vendor Homepage: https://github.com/zhblue/hustoj
# Software Link: http://123.158.38.129:8090/livecd/HUSTOJ25.05.iso
(LiveCD, or see above git repo)
# Version: Before v26.01.24
# Tested on: Ubuntu
# CVE: CVE-2026-24479
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# This payload is configured for:
# msfvenom -p linux/x86/meterpreter_reverse_tcp --format elf
#
# Patch:
# $file_name = $path.zip_entry_name($dir_resource);
# $file_name=str_replace('../', '', $file_name);
# $file_path = substr($file_name,0,strrpos($file_name, "/"));
#
# msf exploit(loca
Metasploit
HUSTOJ Admin users can zip-slip problem_import_qduoj.php, planting PHP files in webroot for RCE
metasploit
CVE-2026-24479 HUSTOJ Admin users can zip-slip problem_import_qduoj.php, planting PHP files in webroot for RCE
HUSTOJ Admin users can zip-slip problem_import_qduoj.php, planting PHP files in webroot for RCE
2026-01-27
Published