CVE-2026-24479
Path Traversal in HUSTOF ZIP Import Enables Remote Code Execution
Publication date: 2026-01-27
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hustoj | hustoj | to 26.01.24 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to Remote Code Execution (RCE) on the affected server. An attacker can upload a specially crafted ZIP archive that, when extracted, writes malicious files to arbitrary locations within the web root. This can allow the attacker to execute arbitrary commands or code on the server, potentially leading to full system compromise, data theft, or service disruption. [1]
Can you explain this vulnerability to me?
This vulnerability is a critical Arbitrary File Write issue (known as Zip Slip) in the problem import modules of the zhblue/hustoj project. The affected modules fail to properly sanitize filenames inside uploaded ZIP archives. Attackers can craft malicious ZIP files containing path traversal sequences like '../../shell.php'. When the server extracts such a ZIP file, it writes files to arbitrary locations within the web root directory. This allows attackers to place malicious files, such as web shells, which can then be accessed to execute remote code on the server. The root cause is that the code concatenates filenames from the ZIP entries without filtering out dangerous path traversal sequences. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious ZIP file uploads containing path traversal sequences such as '../' in filenames. On the server, you can inspect extracted files from ZIP archives used in the problem import modules for unexpected files outside the intended directories. For example, you can search for recently created or modified files in the web root directory that should not be there, such as shell.php or other PHP files. Commands to detect suspicious files might include: 1) Find PHP files created or modified recently in the web root: `find /var/www/html -name '*.php' -mtime -7 -ls` 2) Search for files with path traversal patterns inside ZIP archives before extraction: `unzip -l suspicious.zip | grep '\.\./'` 3) Monitor web server access logs for requests to unexpected PHP files, e.g., `grep shell.php /var/log/apache2/access.log` or equivalent. These steps help identify exploitation attempts or presence of malicious files resulting from the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Update to version 26.01.24 or later of the zhblue/hustoj project, which contains a fix that sanitizes filenames by removing '../' sequences from ZIP archive entries before extraction. 2) If updating is not immediately possible, implement manual sanitization of filenames in the problem import modules by filtering out path traversal sequences such as '../' before extracting files. 3) Restrict file upload permissions and ensure the extraction process only writes files within a designated safe directory. 4) Monitor and remove any suspicious files that may have been uploaded via this vulnerability. 5) Consider disabling the problem import feature temporarily until the patch is applied. [2]