Cyber Resilience

CVE-2026-24479

Critical

Published: 27 January 2026

Published
27 January 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0790 94.0th percentile
Risk Priority 80 floored blend · peak EPSS

Summary

CVE-2026-24479 is a critical-severity Path Traversal (CWE-22) vulnerability in Hustoj Hustoj. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24479 is a path traversal vulnerability (CWE-22) in HUSTOJ, an open-source online judge platform based on PHP, C++, MySQL, and Linux, used for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules do not properly sanitize filenames in uploaded ZIP archives. This allows attackers to include files with path traversal sequences, such as ../../shell.php, enabling arbitrary file writes to the web root when the archive is extracted on the server. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers with network access can exploit this issue by crafting and uploading a malicious ZIP file through the affected import modules. Upon server-side extraction, the payload overwrites or creates files in unintended locations, such as the web root, facilitating remote code execution (RCE). No user interaction or privileges are required, making it highly accessible for remote exploitation.

The GitHub security advisory (GHSA-xmgg-2rw4-7fxj) and commit 902bd09e6d0011fe89cd84d4236899314b33101f detail the fix in version 26.01.24, which addresses filename sanitization during ZIP extraction. Security practitioners should upgrade to this version or later and review access to the import endpoints.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file…

more

containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a path traversal in a public-facing web application's ZIP import endpoints, enabling unauthenticated remote arbitrary file writes to the web root for RCE, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23873Same product: Hustoj Hustoj
CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22
CVE-2025-8110Shared CWE-22
CVE-2026-8757Shared CWE-22
CVE-2025-7712Shared CWE-22

Affected Assets

hustoj
hustoj
≤ 26.01.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of ZIP archive filenames to block path traversal sequences during upload and extraction.

prevent

Mandates identification, reporting, and correction of the filename sanitization flaw, such as by patching to version 26.01.24.

detect

Enables scanning for vulnerabilities like CVE-2026-24479 in the HUSTOJ platform to identify and prioritize remediation.

References