CVE-2026-23873: HustOJ CSV Injection RCE Vulnerability

CVE-2026-23873 Overview

CVE-2026-23873 is a CSV Injection (Formula Injection) vulnerability affecting HUSTOJ, an open source online judge platform built on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. The vulnerability exists in the contest rank export functionality, specifically within contestrank.xls.php and admin/ranklist_export.php. When administrators export contest rankings to Excel format, malicious formulas embedded in user-controlled fields can be executed, potentially leading to arbitrary command execution or data exfiltration on the administrator's machine.

Critical Impact
Attackers can inject Excel formulas through the Nickname field that execute arbitrary commands when administrators export and open rank lists in Microsoft Excel, enabling remote code execution on administrator machines.

Affected Products

HUSTOJ (all versions) - Open Source Online Judge Platform

Discovery Timeline

2026-01-22 - CVE CVE-2026-23873 published to NVD
2026-01-22 - Last updated in NVD database

Technical Details for CVE-2026-23873

Vulnerability Analysis

This vulnerability stems from a lack of input sanitization in HUSTOJ's contest ranking export feature. The application allows users to set nicknames that are later included in exported Excel files without proper validation or encoding. When these files are opened in Microsoft Excel, any formulas present in the data cells are automatically evaluated.

The affected components (contestrank.xls.php and admin/ranklist_export.php) generate .xls files that render as HTML tables but are processed by Excel as spreadsheet data. This behavior allows an attacker to craft a malicious nickname containing Excel formula syntax that will execute when the exported file is opened.

CSV/Formula Injection attacks exploit the dynamic formula interpretation capabilities of spreadsheet applications. When a cell value begins with characters such as =, +, -, @, or |, Excel interprets the content as a formula and attempts to execute it.

Root Cause

The root cause is classified under CWE-1236 (Improper Neutralization of Formula Elements in a CSV File). The application fails to sanitize or escape user-supplied input in the Nickname field before including it in exported spreadsheet files. Specifically, the export functionality does not:

Strip or escape formula-triggering characters (=, +, -, @, |)
Prefix cell values with single quotes to prevent formula interpretation
Validate user input against dangerous patterns before storage or export

Attack Vector

The attack is network-based and requires a low-privileged user account to set a malicious nickname. The attack chain proceeds as follows:

An attacker registers or modifies their account on the HUSTOJ platform
The attacker sets their nickname to an Excel formula payload (e.g., =cmd|' /C calc'!A0 or formulas that exfiltrate data via HTTP requests)
The attacker participates in contests to ensure their username appears in ranking lists
When an administrator exports the contest rankings and opens the resulting .xls file in Microsoft Excel, the formula executes
Depending on the payload, this can result in arbitrary command execution on the administrator's workstation or exfiltration of sensitive data

The vulnerability requires user interaction from an administrator (exporting and opening the file), but the impact on the subsequent system can be severe, including full compromise of the administrator's machine.

Detection Methods for CVE-2026-23873

Indicators of Compromise

User nicknames or display names containing formula-triggering characters: =, +, -, @, |
Unusual patterns in user profile fields resembling Excel formulas (e.g., =HYPERLINK(), =cmd|')
Network requests from administrator workstations to unexpected external URLs after opening exported files
Unexpected process execution on administrator systems coinciding with opening exported rank lists

Detection Strategies

Implement input validation monitoring to detect attempts to store formula-like patterns in user-controlled fields
Deploy endpoint detection and response (EDR) solutions on administrator workstations to identify suspicious child processes spawned by Excel
Monitor database queries and storage for nickname fields containing suspicious character sequences
Review web application firewall (WAF) logs for payload patterns associated with CSV injection attacks

Monitoring Recommendations

Enable enhanced logging for user profile modification events, particularly nickname changes
Configure alerts for exported files containing potentially malicious formula patterns
Monitor administrator workstations for unusual Excel behavior including unexpected network connections or process spawning
Implement file integrity monitoring on export directories to track generated files

How to Mitigate CVE-2026-23873

Immediate Actions Required

Restrict access to the contest rank export functionality to trusted administrators only
Instruct administrators to open exported files in Protected View or use alternative spreadsheet applications that do not auto-execute formulas
Review existing user nicknames for potentially malicious formula content and sanitize as needed
Consider disabling the export functionality until a patch is available

Patch Information

A fix was not available at the time of publication. Organizations using HUSTOJ should monitor the GitHub Security Advisory for updates and patch availability.

Workarounds

Implement server-side input validation to reject or sanitize nicknames containing formula-triggering characters (=, +, -, @, |)
Modify the export scripts to prefix all user-supplied cell values with a single quote (') to prevent formula interpretation
Configure Microsoft Excel on administrator machines to disable automatic formula execution or DDE
Use CSV viewers or text editors instead of Excel to review exported data

To implement input sanitization, prepend user-controlled values with a single quote or tab character before writing to the export file. This prevents Excel from interpreting the content as a formula:

php

# Sanitize user input before export
# Prefix values with single quote to prevent formula execution
$sanitized_nickname = "'" . preg_replace('/^[\=\+\-\@\|]/', "'$0", $nickname);

CVE-2026-23873 Overview

Critical Impact
Attackers can inject Excel formulas through the Nickname field that execute arbitrary commands when administrators export and open rank lists in Microsoft Excel, enabling remote code execution on administrator machines.

Affected Products

HUSTOJ (all versions) - Open Source Online Judge Platform

Discovery Timeline

2026-01-22 - CVE CVE-2026-23873 published to NVD
2026-01-22 - Last updated in NVD database

Technical Details for CVE-2026-23873

Vulnerability Analysis

Root Cause

Strip or escape formula-triggering characters (=, +, -, @, |)
Prefix cell values with single quotes to prevent formula interpretation
Validate user input against dangerous patterns before storage or export

Attack Vector

The attack is network-based and requires a low-privileged user account to set a malicious nickname. The attack chain proceeds as follows:

An attacker registers or modifies their account on the HUSTOJ platform
The attacker sets their nickname to an Excel formula payload (e.g., =cmd|' /C calc'!A0 or formulas that exfiltrate data via HTTP requests)
The attacker participates in contests to ensure their username appears in ranking lists
When an administrator exports the contest rankings and opens the resulting .xls file in Microsoft Excel, the formula executes
Depending on the payload, this can result in arbitrary command execution on the administrator's workstation or exfiltration of sensitive data

Detection Methods for CVE-2026-23873

Indicators of Compromise

User nicknames or display names containing formula-triggering characters: =, +, -, @, |
Unusual patterns in user profile fields resembling Excel formulas (e.g., =HYPERLINK(), =cmd|')
Network requests from administrator workstations to unexpected external URLs after opening exported files
Unexpected process execution on administrator systems coinciding with opening exported rank lists

Detection Strategies

Implement input validation monitoring to detect attempts to store formula-like patterns in user-controlled fields
Deploy endpoint detection and response (EDR) solutions on administrator workstations to identify suspicious child processes spawned by Excel
Monitor database queries and storage for nickname fields containing suspicious character sequences
Review web application firewall (WAF) logs for payload patterns associated with CSV injection attacks

Monitoring Recommendations

Enable enhanced logging for user profile modification events, particularly nickname changes
Configure alerts for exported files containing potentially malicious formula patterns
Monitor administrator workstations for unusual Excel behavior including unexpected network connections or process spawning
Implement file integrity monitoring on export directories to track generated files

How to Mitigate CVE-2026-23873

Immediate Actions Required

Restrict access to the contest rank export functionality to trusted administrators only
Instruct administrators to open exported files in Protected View or use alternative spreadsheet applications that do not auto-execute formulas
Review existing user nicknames for potentially malicious formula content and sanitize as needed
Consider disabling the export functionality until a patch is available

Patch Information

A fix was not available at the time of publication. Organizations using HUSTOJ should monitor the GitHub Security Advisory for updates and patch availability.

Workarounds

Implement server-side input validation to reject or sanitize nicknames containing formula-triggering characters (=, +, -, @, |)
Modify the export scripts to prefix all user-supplied cell values with a single quote (') to prevent formula interpretation
Configure Microsoft Excel on administrator machines to disable automatic formula execution or DDE
Use CSV viewers or text editors instead of Excel to review exported data

To implement input sanitization, prepend user-controlled values with a single quote or tab character before writing to the export file. This prevents Excel from interpreting the content as a formula:

php

# Sanitize user input before export
# Prefix values with single quote to prevent formula execution
$sanitized_nickname = "'" . preg_replace('/^[\=\+\-\@\|]/', "'$0", $nickname);

CVE-2026-23873: HustOJ CSV Injection RCE Vulnerability

CVE-2026-23873 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-23873

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-23873

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-23873

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2026-23873: HustOJ CSV Injection RCE Vulnerability

CVE-2026-23873 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-23873

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-23873

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-23873

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform