CVE-2026-24479

Name of the Vulnerable Software and Affected Versions HUSTOF versions prior to 26.01.24

Description HUSTOF is an online judge system built on PHP, C++, MySQL, and Linux. A path traversal flaw exists in the problem import qduoj.php and problem import hoj.php modules when handling ZIP archive extractions. This allows attackers to write files to arbitrary locations within the web root by crafting malicious ZIP files containing path traversal sequences, such as ../../shell.php. Successful exploitation leads to Remote Code Execution (RCE).

Recommendations Versions prior to 26.01.24 should be updated to version 26.01.24 or later.