cbcvebase.
CVE-2026-24479
published 2026-01-27

CVE-2026-24479: HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and…

PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.90%
94.0th percentile
HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
hustojhustoj< 26.01.2426.01.24
zhbluehustoj< 26.01.2426.01.24

Detection & IOCsextracted from sources · hover to see the quote

path/admin/problem_import_qduoj.php
path/admin/problem_import.php
path/cleanup-msf.php
filenamecleanup-msf.php
path/home/judge/src/web/
command../../shell.php
urlhttps://github.com/oxagast/oxasploits/blob/JoshuaJohnWard/exploits/CVE-2026-24479/hustoj_problem_import_rce.rb
urlhttps://github.com/zhblue/hustoj/commit/902bd09e6d0011fe89cd84d4236899314b33101f
  • Detect multipart/form-data POST requests to /admin/problem_import_qduoj.php or /admin/problem_import_hoj.php containing ZIP archives with path traversal sequences (../) in filenames.
  • Alert on creation of .php files outside expected upload directories (e.g., written to web root /home/judge/src/web/) following a ZIP extraction event on HUSTOJ.
  • Monitor for HTTP GET requests to newly created .php files in the HUSTOJ web root immediately after a ZIP upload to the problem import endpoint, indicative of shell triggering.
  • Detect presence of cleanup-msf.php in the HUSTOJ web root (/home/judge/src/web/cleanup-msf.php) as an artifact of Metasploit exploitation.
  • Check for outbound reverse TCP connections (default LPORT 4444) from the web server process following a problem import ZIP upload, consistent with meterpreter_reverse_tcp payload execution.
  • Inspect ZIP archive entries at upload time for filenames containing '../' traversal sequences; the Metasploit module uses a configurable traversal depth (default 6 levels: '../../../../../../').
  • Monitor for ELF binary drops to /tmp/ from the web server process, as the exploit writes the meterpreter ELF payload to /tmp/<dropfile>-<rand_tag>.
  • Detect sequential GET requests to /csrf.php followed by a POST to /login.php with MD5-hashed password field, then POST to /admin/problem_import_qduoj.php — this is the full exploit authentication and upload chain.
  • ·Exploitation requires authenticated admin credentials; the vulnerability is not unauthenticated. Detection should account for the login sequence preceding the malicious upload.
  • ·The Metasploit module's traversal depth is configurable (traverse_limit option, default 6), so the number of '../' sequences in ZIP entry names will vary between exploit attempts.
  • ·The dropped PHP shell filename includes a random 5-hex-character tag (rand_tag), making static filename-based detection insufficient; pattern-based detection (e.g., regex on web root for new .php files) is required.
  • ·The patch strips '../' from filenames server-side; verify the fix is applied by confirming HUSTOJ version 26.01.24 or later is running.
  • ·Both problem_import_qduoj.php and problem_import_hoj.php are vulnerable import endpoints; detection and patching must cover both modules.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.