CVE-2026-24479 – This vulnerability allows attackers to achieve ... (How to Fix)

Q: What is the severity of CVE-2026-24479?

CVE-2026-24479 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to achieve remote code execution by uploading malicious ZIP archives containing path traversal sequences. The flaw affects HUSTOJ online judge systems running versions prior to 26.01.24, potentially compromising the entire server.

📋 TL;DR

This vulnerability allows attackers to achieve remote code execution by uploading malicious ZIP archives containing path traversal sequences. The flaw affects HUSTOJ online judge systems running versions prior to 26.01.24, potentially compromising the entire server.

💻 Affected Systems

Products:

HUSTOJ

Versions: All versions prior to 26.01.24

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires problem_import_qduoj.php or problem_import_hoj.php functionality enabled.

📦 What is this software?

Hustoj by Hustoj

View all CVEs affecting Hustoj →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise with attacker gaining shell access, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Webshell deployment leading to data theft, service disruption, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper file upload restrictions and web application firewalls in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to problem import functionality, typically requiring authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 26.01.24

Vendor Advisory: https://github.com/zhblue/hustoj/security/advisories/GHSA-xmgg-2rw4-7fxj

Restart Required: No

Instructions:

1. Backup your current installation. 2. Update to version 26.01.24 via git pull or manual download. 3. Verify the fix by checking the commit 902bd09e6d0011fe89cd84d4236899314b33101f is present.

🔧 Temporary Workarounds

Disable Problem Import Modules

linux

Temporarily disable the vulnerable PHP modules to prevent exploitation.

mv /var/www/html/problem_import_qduoj.php /var/www/html/problem_import_qduoj.php.disabled
mv /var/www/html/problem_import_hoj.php /var/www/html/problem_import_hoj.php.disabled

Implement File Upload Restrictions

linux

Configure web server to reject ZIP uploads or restrict file extraction to safe directories.

# Add to .htaccess or web server config: php_value upload_max_filesize 1M
# Configure PHP to disable dangerous functions: disable_functions = exec,passthru,shell_exec,system

🧯 If You Can't Patch

Implement strict file upload validation and sanitization in the application layer.
Deploy a web application firewall (WAF) with rules to detect and block path traversal attempts.

🔍 How to Verify

Check if Vulnerable:

Check if version is older than 26.01.24 and problem_import_qduoj.php/problem_import_hoj.php files exist.

Check Version:

grep -r 'version' /var/www/html/ | grep -i hustoj

Verify Fix Applied:

Verify the commit 902bd09e6d0011fe89cd84d4236899314b33101f is in your codebase and test ZIP upload with path traversal sequences.

📡 Detection & Monitoring

Log Indicators:

Unusual ZIP file uploads
File write attempts outside expected directories
Execution of PHP files in unexpected locations

Network Indicators:

POST requests to problem_import_*.php with ZIP file uploads
Subsequent requests to newly created PHP files

SIEM Query:

source="web_logs" AND (uri="/problem_import_qduoj.php" OR uri="/problem_import_hoj.php") AND method="POST" AND content_type="application/zip"

📊 Metadata

CVE ID: CVE-2026-24479

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: January 27, 2026

Last Updated: March 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24479, you might also want to check these: