CVE-2026-24479
HUSTOJ has Arbitrary File Write (Zip Slip) in Problem Import Modules that leads to RCE
Vexday Risk Score
63High priority
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.3EPSS 7.9%KEV nãoPoC públicaNuclei —Metasploit simPatch —
Lifecycle
26 Jan 2026Metasploit module available
27 Jan 2026Published on NVD
30 Apr 2026Public PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
zhblue · hustojpublic PoCs found — 1
exploitdbwww.exploit-db.com/exploits/52539unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →