CVE-2026-23873
CSV Injection in hustoj Contest Rank Export Enables RCE
Publication date: 2026-01-22
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hustoj | hustoj | to 26.01.31 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1236 | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23873 is a Stored CSV Injection (Formula Injection) vulnerability in the zhblue/hustoj package. It occurs in the contest rank export functionality where the application exports user data, specifically the "Nickname" field, into an .xls file without sanitizing it. Since the .xls file is opened by Microsoft Excel, if a nickname starts with characters like '=', '+', '-', or '@', Excel interprets it as a formula. An attacker can exploit this by setting their nickname to a malicious Excel formula that executes commands when the file is opened by an administrator, potentially leading to remote code execution or data exfiltration. [1]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution (RCE) on the administrator's machine when they open the exported rank list in Microsoft Excel. An attacker can inject malicious Excel formulas through the nickname field, which Excel executes, potentially allowing arbitrary command execution or data exfiltration. This compromises the security of the administrator's system and any sensitive data accessible from it. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by examining exported rank list .xls files for unsanitized user input in the "Nickname" field that begins with Excel formula trigger characters such as '=', '+', '-', or '@'. Specifically, check if the exported .xls files contain nicknames starting with these characters, which could indicate potential CSV Injection. A practical approach is to export the rank list and inspect the nicknames manually or use commands like `grep -E '^[=+\-@]' contestrank.xls` on the exported file to find suspicious entries. Additionally, reviewing the PHP source code (contestrank.xls.php and admin/ranklist_export.php) for lack of sanitization on the nickname field can help detect the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves sanitizing the "Nickname" field before exporting it to the .xls file to prevent Excel from interpreting it as a formula. Specifically, prepend a single quote (') to any nickname starting with '=', '+', '-', or '@'. This prevents Excel from executing the content as a formula. The recommended PHP fix is: ```php $nick = $row['nick']; if (preg_match('/^[=+\-@]/', $nick)) { $nick = "'" . $nick; } echo "" . htmlspecialchars($nick); ``` Until a patched release is available, applying this sanitization in the export scripts (contestrank.xls.php and admin/ranklist_export.php) is the best immediate step. [1]