CVE-2026-23873
Unknown Unknown - Not Provided
CSV Injection in hustoj Contest Rank Export Enables RCE

Publication date: 2026-01-22

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23873
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hustoj hustoj to 26.01.31 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1236 The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23873 is a Stored CSV Injection (Formula Injection) vulnerability in the zhblue/hustoj package. It occurs in the contest rank export functionality where the application exports user data, specifically the "Nickname" field, into an .xls file without sanitizing it. Since the .xls file is opened by Microsoft Excel, if a nickname starts with characters like '=', '+', '-', or '@', Excel interprets it as a formula. An attacker can exploit this by setting their nickname to a malicious Excel formula that executes commands when the file is opened by an administrator, potentially leading to remote code execution or data exfiltration. [1]

Impact Analysis

This vulnerability can lead to remote code execution (RCE) on the administrator's machine when they open the exported rank list in Microsoft Excel. An attacker can inject malicious Excel formulas through the nickname field, which Excel executes, potentially allowing arbitrary command execution or data exfiltration. This compromises the security of the administrator's system and any sensitive data accessible from it. [1]

Detection Guidance

This vulnerability can be detected by examining exported rank list .xls files for unsanitized user input in the "Nickname" field that begins with Excel formula trigger characters such as '=', '+', '-', or '@'. Specifically, check if the exported .xls files contain nicknames starting with these characters, which could indicate potential CSV Injection. A practical approach is to export the rank list and inspect the nicknames manually or use commands like `grep -E '^[=+\-@]' contestrank.xls` on the exported file to find suspicious entries. Additionally, reviewing the PHP source code (contestrank.xls.php and admin/ranklist_export.php) for lack of sanitization on the nickname field can help detect the vulnerability. [1]

Mitigation Strategies

Immediate mitigation involves sanitizing the "Nickname" field before exporting it to the .xls file to prevent Excel from interpreting it as a formula. Specifically, prepend a single quote (') to any nickname starting with '=', '+', '-', or '@'. This prevents Excel from executing the content as a formula. The recommended PHP fix is: ```php $nick = $row['nick']; if (preg_match('/^[=+\-@]/', $nick)) { $nick = "'" . $nick; } echo "" . htmlspecialchars($nick); ``` Until a patched release is available, applying this sanitization in the export scripts (contestrank.xls.php and admin/ranklist_export.php) is the best immediate step. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart