CVE-2026-24479: HUSTOJ Online Judge RCE Vulnerability

CVE-2026-24479 Overview

CVE-2026-24479 is a critical path traversal vulnerability affecting HUSTOJ, an open source online judge platform based on PHP/C++/MySQL/Linux used for ACM/ICPC and NOIP training. The vulnerability exists in the problem_import_qduoj.php and problem_import_hoj.php modules, which fail to properly sanitize filenames within uploaded ZIP archives. This flaw allows attackers to craft malicious ZIP files containing files with path traversal sequences (e.g., ../../shell.php), enabling arbitrary file writes to the web root and ultimately leading to Remote Code Execution (RCE).

Critical Impact
Unauthenticated attackers can achieve Remote Code Execution by uploading malicious ZIP files containing path traversal sequences, allowing arbitrary file placement in the web root directory.

Affected Products

HUSTOJ versions prior to 26.01.24
Systems running problem_import_qduoj.php module
Systems running problem_import_hoj.php module

Discovery Timeline

2026-01-27 - CVE CVE-2026-24479 published to NVD
2026-01-27 - Last updated in NVD database

Technical Details for CVE-2026-24479

Vulnerability Analysis

This path traversal vulnerability (CWE-22) occurs due to insufficient input validation in the problem import functionality of HUSTOJ. When users upload ZIP archives through the problem_import_qduoj.php or problem_import_hoj.php endpoints, the application extracts files without properly sanitizing the filenames contained within the archive. The core issue stems from the application's direct use of ZIP entry names when constructing file paths for extraction, without filtering out path traversal sequences such as ../.

An attacker can exploit this by creating a specially crafted ZIP archive containing files with directory traversal patterns embedded in their names. When the server processes and extracts this archive, it follows the malicious path sequences, writing files to arbitrary locations outside the intended extraction directory. By targeting the web root directory, an attacker can upload a PHP webshell that can be subsequently accessed via HTTP to execute arbitrary commands on the server.

Root Cause

The root cause of this vulnerability is improper input validation and sanitization of filenames extracted from ZIP archives. The zip_entry_name() function returns the raw filename stored in the ZIP archive, which can contain relative path components. The vulnerable code directly appends this unsanitized filename to the extraction path without validating or removing directory traversal sequences like ../. This allows attackers to escape the intended extraction directory and write files to arbitrary locations on the filesystem.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

Creating a malicious ZIP archive with embedded path traversal sequences in filenames (e.g., ../../../var/www/html/shell.php)
Uploading the crafted archive through the problem import functionality
The server extracts the archive, following the path traversal sequences
A malicious PHP file is written to the web root directory
The attacker accesses the uploaded webshell via HTTP to execute arbitrary commands

The following code shows the security patch that addresses this vulnerability by removing ../ sequences from extracted filenames:

php

     while ($dir_resource = zip_read($resource)) {
       if (zip_entry_open($resource,$dir_resource)) {
         $file_name = $path.zip_entry_name($dir_resource);
+		$file_name=str_replace('../', '', $file_name);
         $file_path = substr($file_name,0,strrpos($file_name, "/"));
         if (!is_dir($file_name)) {
           $file_size = zip_entry_filesize($dir_resource);

Source: GitHub Commit

Detection Methods for CVE-2026-24479

Indicators of Compromise

Unexpected PHP files appearing in the web root directory outside normal application paths
ZIP file uploads to /admin/problem_import_qduoj.php or /admin/problem_import_hoj.php endpoints containing ../ sequences
New executable files with suspicious names such as shell.php, cmd.php, or similar webshell indicators
Anomalous HTTP requests to newly created PHP files in unexpected directories

Detection Strategies

Implement web application firewall (WAF) rules to detect and block ZIP uploads containing path traversal sequences in filenames
Monitor file integrity in web root directories to detect unauthorized file creation
Analyze HTTP access logs for requests to problem_import_qduoj.php and problem_import_hoj.php with suspicious payloads
Deploy endpoint detection to identify webshell artifacts and command execution patterns

Monitoring Recommendations

Enable verbose logging on the HUSTOJ application to capture all file operations during ZIP extraction
Implement real-time file system monitoring for the web root directory hierarchy
Configure SIEM alerts for any new PHP file creation outside designated upload directories
Monitor outbound network connections from the web server for potential command-and-control traffic

How to Mitigate CVE-2026-24479

Immediate Actions Required

Upgrade HUSTOJ to version 26.01.24 or later immediately
Review web root directories for any unexpected or suspicious PHP files
Audit access logs for prior exploitation attempts targeting the problem import endpoints
Implement network-level controls to restrict access to admin functionality if immediate patching is not possible

Patch Information

The vulnerability has been addressed in HUSTOJ version 26.01.24. The fix implements sanitization of filenames extracted from ZIP archives by removing path traversal sequences (../) before constructing the file path. Organizations should upgrade to this version or apply the security commit 902bd09e6d0011fe89cd84d4236899314b33101f.

For detailed patch information, refer to:

Workarounds

Disable or restrict access to the problem import functionality (problem_import_qduoj.php and problem_import_hoj.php) until patching is complete
Implement web server configuration to block requests to vulnerable endpoints
Deploy a WAF rule to reject ZIP uploads containing filenames with ../ patterns
Restrict administrative access to trusted IP addresses only

bash

# Apache configuration to block access to vulnerable endpoints
<Location "/admin/problem_import_qduoj.php">
    Require ip 10.0.0.0/8 192.168.0.0/16
</Location>
<Location "/admin/problem_import_hoj.php">
    Require ip 10.0.0.0/8 192.168.0.0/16
</Location>

CVE-2026-24479 Overview

Critical Impact
Unauthenticated attackers can achieve Remote Code Execution by uploading malicious ZIP files containing path traversal sequences, allowing arbitrary file placement in the web root directory.

Affected Products

HUSTOJ versions prior to 26.01.24
Systems running problem_import_qduoj.php module
Systems running problem_import_hoj.php module

Discovery Timeline

2026-01-27 - CVE CVE-2026-24479 published to NVD
2026-01-27 - Last updated in NVD database

Technical Details for CVE-2026-24479

Vulnerability Analysis

Root Cause

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

Creating a malicious ZIP archive with embedded path traversal sequences in filenames (e.g., ../../../var/www/html/shell.php)
Uploading the crafted archive through the problem import functionality
The server extracts the archive, following the path traversal sequences
A malicious PHP file is written to the web root directory
The attacker accesses the uploaded webshell via HTTP to execute arbitrary commands

The following code shows the security patch that addresses this vulnerability by removing ../ sequences from extracted filenames:

php

     while ($dir_resource = zip_read($resource)) {
       if (zip_entry_open($resource,$dir_resource)) {
         $file_name = $path.zip_entry_name($dir_resource);
+		$file_name=str_replace('../', '', $file_name);
         $file_path = substr($file_name,0,strrpos($file_name, "/"));
         if (!is_dir($file_name)) {
           $file_size = zip_entry_filesize($dir_resource);

Source: GitHub Commit

Detection Methods for CVE-2026-24479

Indicators of Compromise

Unexpected PHP files appearing in the web root directory outside normal application paths
ZIP file uploads to /admin/problem_import_qduoj.php or /admin/problem_import_hoj.php endpoints containing ../ sequences
New executable files with suspicious names such as shell.php, cmd.php, or similar webshell indicators
Anomalous HTTP requests to newly created PHP files in unexpected directories

Detection Strategies

Implement web application firewall (WAF) rules to detect and block ZIP uploads containing path traversal sequences in filenames
Monitor file integrity in web root directories to detect unauthorized file creation
Analyze HTTP access logs for requests to problem_import_qduoj.php and problem_import_hoj.php with suspicious payloads
Deploy endpoint detection to identify webshell artifacts and command execution patterns

Monitoring Recommendations

Enable verbose logging on the HUSTOJ application to capture all file operations during ZIP extraction
Implement real-time file system monitoring for the web root directory hierarchy
Configure SIEM alerts for any new PHP file creation outside designated upload directories
Monitor outbound network connections from the web server for potential command-and-control traffic

How to Mitigate CVE-2026-24479

Immediate Actions Required

Upgrade HUSTOJ to version 26.01.24 or later immediately
Review web root directories for any unexpected or suspicious PHP files
Audit access logs for prior exploitation attempts targeting the problem import endpoints
Implement network-level controls to restrict access to admin functionality if immediate patching is not possible

Patch Information

For detailed patch information, refer to:

Workarounds

Disable or restrict access to the problem import functionality (problem_import_qduoj.php and problem_import_hoj.php) until patching is complete
Implement web server configuration to block requests to vulnerable endpoints
Deploy a WAF rule to reject ZIP uploads containing filenames with ../ patterns
Restrict administrative access to trusted IP addresses only

bash

# Apache configuration to block access to vulnerable endpoints
<Location "/admin/problem_import_qduoj.php">
    Require ip 10.0.0.0/8 192.168.0.0/16
</Location>
<Location "/admin/problem_import_hoj.php">
    Require ip 10.0.0.0/8 192.168.0.0/16
</Location>

CVE-2026-24479: HUSTOJ Online Judge RCE Vulnerability

CVE-2026-24479 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-24479

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-24479

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-24479

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-24479: HUSTOJ Online Judge RCE Vulnerability

CVE-2026-24479 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-24479

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-24479

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-24479

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform