CVE-2026-23873

Name of the Vulnerable Software and Affected Versions hustoj (affected versions not specified)

Description hustoj is an open source online judge system built on PHP/C++/MySQL/Linux. The application is susceptible to CSV Injection (Formula Injection) through the contest rank export functionality, specifically in the contestrank.xls.php and admin/ranklist export.php files. The system does not properly sanitize user-provided input, particularly the Nickname field, before including it in exported .xls files. An attacker can exploit this by setting their nickname to an Excel formula. When an administrator opens the exported rank list in Microsoft Excel, the malicious formula will execute, potentially leading to arbitrary command execution (RCE) on the administrator’s machine or data exfiltration.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.