CVE-2026-24479
Unknown Unknown - Not Provided
Path Traversal in HUSTOF ZIP Import Enables Remote Code Execution

Publication date: 2026-01-27

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24479
EUVD
EUVD-2026-4836
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hustoj hustoj to 26.01.24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to Remote Code Execution (RCE) on the affected server. An attacker can upload a specially crafted ZIP archive that, when extracted, writes malicious files to arbitrary locations within the web root. This can allow the attacker to execute arbitrary commands or code on the server, potentially leading to full system compromise, data theft, or service disruption. [1]

Executive Summary

This vulnerability is a critical Arbitrary File Write issue (known as Zip Slip) in the problem import modules of the zhblue/hustoj project. The affected modules fail to properly sanitize filenames inside uploaded ZIP archives. Attackers can craft malicious ZIP files containing path traversal sequences like '../../shell.php'. When the server extracts such a ZIP file, it writes files to arbitrary locations within the web root directory. This allows attackers to place malicious files, such as web shells, which can then be accessed to execute remote code on the server. The root cause is that the code concatenates filenames from the ZIP entries without filtering out dangerous path traversal sequences. [1]

Detection Guidance

This vulnerability can be detected by monitoring for suspicious ZIP file uploads containing path traversal sequences such as '../' in filenames. On the server, you can inspect extracted files from ZIP archives used in the problem import modules for unexpected files outside the intended directories. For example, you can search for recently created or modified files in the web root directory that should not be there, such as shell.php or other PHP files. Commands to detect suspicious files might include: 1) Find PHP files created or modified recently in the web root: `find /var/www/html -name '*.php' -mtime -7 -ls` 2) Search for files with path traversal patterns inside ZIP archives before extraction: `unzip -l suspicious.zip | grep '\.\./'` 3) Monitor web server access logs for requests to unexpected PHP files, e.g., `grep shell.php /var/log/apache2/access.log` or equivalent. These steps help identify exploitation attempts or presence of malicious files resulting from the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include: 1) Update to version 26.01.24 or later of the zhblue/hustoj project, which contains a fix that sanitizes filenames by removing '../' sequences from ZIP archive entries before extraction. 2) If updating is not immediately possible, implement manual sanitization of filenames in the problem import modules by filtering out path traversal sequences such as '../' before extracting files. 3) Restrict file upload permissions and ensure the extraction process only writes files within a designated safe directory. 4) Monitor and remove any suspicious files that may have been uploaded via this vulnerability. 5) Consider disabling the problem import feature temporarily until the patch is applied. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24479. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart