Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23873

CVE-2026-23873: HustOJ CSV Injection RCE Vulnerability

CVE-2026-23873 is a CSV injection (formula injection) vulnerability in HustOJ that enables remote code execution through malicious nicknames in contest rank exports. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-23873 Overview

CVE-2026-23873 is a CSV Injection (Formula Injection) vulnerability affecting HUSTOJ, an open source online judge platform built on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. The vulnerability exists in the contest rank export functionality, specifically within contestrank.xls.php and admin/ranklist_export.php. When administrators export contest rankings to Excel format, malicious formulas embedded in user-controlled fields can be executed, potentially leading to arbitrary command execution or data exfiltration on the administrator's machine.

Critical Impact

Attackers can inject Excel formulas through the Nickname field that execute arbitrary commands when administrators export and open rank lists in Microsoft Excel, enabling remote code execution on administrator machines.

Affected Products

  • HUSTOJ (all versions) - Open Source Online Judge Platform

Discovery Timeline

  • 2026-01-22 - CVE CVE-2026-23873 published to NVD
  • 2026-01-22 - Last updated in NVD database

Technical Details for CVE-2026-23873

Vulnerability Analysis

This vulnerability stems from a lack of input sanitization in HUSTOJ's contest ranking export feature. The application allows users to set nicknames that are later included in exported Excel files without proper validation or encoding. When these files are opened in Microsoft Excel, any formulas present in the data cells are automatically evaluated.

The affected components (contestrank.xls.php and admin/ranklist_export.php) generate .xls files that render as HTML tables but are processed by Excel as spreadsheet data. This behavior allows an attacker to craft a malicious nickname containing Excel formula syntax that will execute when the exported file is opened.

CSV/Formula Injection attacks exploit the dynamic formula interpretation capabilities of spreadsheet applications. When a cell value begins with characters such as =, +, -, @, or |, Excel interprets the content as a formula and attempts to execute it.

Root Cause

The root cause is classified under CWE-1236 (Improper Neutralization of Formula Elements in a CSV File). The application fails to sanitize or escape user-supplied input in the Nickname field before including it in exported spreadsheet files. Specifically, the export functionality does not:

  • Strip or escape formula-triggering characters (=, +, -, @, |)
  • Prefix cell values with single quotes to prevent formula interpretation
  • Validate user input against dangerous patterns before storage or export

Attack Vector

The attack is network-based and requires a low-privileged user account to set a malicious nickname. The attack chain proceeds as follows:

  1. An attacker registers or modifies their account on the HUSTOJ platform
  2. The attacker sets their nickname to an Excel formula payload (e.g., =cmd|' /C calc'!A0 or formulas that exfiltrate data via HTTP requests)
  3. The attacker participates in contests to ensure their username appears in ranking lists
  4. When an administrator exports the contest rankings and opens the resulting .xls file in Microsoft Excel, the formula executes
  5. Depending on the payload, this can result in arbitrary command execution on the administrator's workstation or exfiltration of sensitive data

The vulnerability requires user interaction from an administrator (exporting and opening the file), but the impact on the subsequent system can be severe, including full compromise of the administrator's machine.

Detection Methods for CVE-2026-23873

Indicators of Compromise

  • User nicknames or display names containing formula-triggering characters: =, +, -, @, |
  • Unusual patterns in user profile fields resembling Excel formulas (e.g., =HYPERLINK(), =cmd|')
  • Network requests from administrator workstations to unexpected external URLs after opening exported files
  • Unexpected process execution on administrator systems coinciding with opening exported rank lists

Detection Strategies

  • Implement input validation monitoring to detect attempts to store formula-like patterns in user-controlled fields
  • Deploy endpoint detection and response (EDR) solutions on administrator workstations to identify suspicious child processes spawned by Excel
  • Monitor database queries and storage for nickname fields containing suspicious character sequences
  • Review web application firewall (WAF) logs for payload patterns associated with CSV injection attacks

Monitoring Recommendations

  • Enable enhanced logging for user profile modification events, particularly nickname changes
  • Configure alerts for exported files containing potentially malicious formula patterns
  • Monitor administrator workstations for unusual Excel behavior including unexpected network connections or process spawning
  • Implement file integrity monitoring on export directories to track generated files

How to Mitigate CVE-2026-23873

Immediate Actions Required

  • Restrict access to the contest rank export functionality to trusted administrators only
  • Instruct administrators to open exported files in Protected View or use alternative spreadsheet applications that do not auto-execute formulas
  • Review existing user nicknames for potentially malicious formula content and sanitize as needed
  • Consider disabling the export functionality until a patch is available

Patch Information

A fix was not available at the time of publication. Organizations using HUSTOJ should monitor the GitHub Security Advisory for updates and patch availability.

Workarounds

  • Implement server-side input validation to reject or sanitize nicknames containing formula-triggering characters (=, +, -, @, |)
  • Modify the export scripts to prefix all user-supplied cell values with a single quote (') to prevent formula interpretation
  • Configure Microsoft Excel on administrator machines to disable automatic formula execution or DDE
  • Use CSV viewers or text editors instead of Excel to review exported data

To implement input sanitization, prepend user-controlled values with a single quote or tab character before writing to the export file. This prevents Excel from interpreting the content as a formula:

php
# Sanitize user input before export
# Prefix values with single quote to prevent formula execution
$sanitized_nickname = "'" . preg_replace('/^[\=\+\-\@\|]/', "'$0", $nickname);

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne