41 matches found
HUSTOJ Admin users can zip-slip problem_import_qduoj.php, planting PHP files in webroot for RCE
A user with administrative privileges can abuse the problemimportqduoj.php CGI script using a crafted zip file zip-slip to traverse backwards through the filesystem, then to the webroot, where they can extract a PHP file that spawns a shell to get full RCE in the context of the webserver. Module...
📄 HUSTOJ Zip Slip / Remote Code Execution
This Metasploit module demonstrates a remote code execution vulnerability in HUSTOJ. A user with administrative privileges can abuse the problemimportqduoj.php CGI script using a crafted zip file zip-slip to traverse backwards through the filesystem, then to the webroot, where they can extract a...
📄 HUSTOJ 26.01.24 Zip-Slip Remote Code Execution
HUSTOJ version 26.01.24 suffers from zip-slip remote code execution vulnerability. Exploit Title: HUSTOJ Zip-Slip v26.01.24 - RCE Date: 2026-02-14 Exploit Author: Marshall Whittaker / oxagast Vendor Homepage: https://github.com/zhblue/hustoj Software Link:...
HUSTOJ Zip-Slip v26.01.24 - RCE
Exploit Title: HUSTOJ Zip-Slip v26.01.24 - RCE Date: 2026-02-14 Exploit Author: Marshall Whittaker / oxagast Vendor Homepage: https://github.com/zhblue/hustoj Software Link: http://123.158.38.129:8090/livecd/HUSTOJ25.05.iso LiveCD, or see above git repo Version: Before v26.01.24 Tested on: Ubuntu...
CVE-2026-24479 HUSTOJ has Arbitrary File Write (Zip Slip) in Problem Import Modules that leads to RCE
HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problemimportqduoj.php and problemimporthoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file...
CVE-2026-24479 HUSTOJ has Arbitrary File Write (Zip Slip) in Problem Import Modules that leads to RCE
HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problemimportqduoj.php and problemimporthoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file...
CVE-2026-24479 HUSTOJ has Arbitrary File Write (Zip Slip) in Problem Import Modules that leads to RCE
HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problemimportqduoj.php and problemimporthoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file...
CVE-2026-24479
Summary (CVE-2026-24479): HUSTOJ (open source online judge) before version 26.01.24 is vulnerable to a Zip Slip-like flaw in the problem_import_qduoj.php and problem_import_hoj.php modules. A malicious ZIP file can contain path traversal sequences (e.g., ../../shell.php) that, when extracted on t...
HUSTOJ Path Traversal Vulnerability
HUSTOJ is a popular OJ system developed by Zhang Haobin zhblue from China. Versions of HUSTOJ before 26.01.24 contained a path traversal vulnerability. This vulnerability stemmed from the improper cleaning of file names in uploaded ZIP archives by the problemimportqduoj.php and problemimporthoj.p...
CVE-2026-23873
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection Formula Injection through the contest rank export functionality contestrank.xls.php and admin/ranklistexport.php. The application fails to sanitize...
HUSTOJ security vulnerabilities
HUSTOJ is a popular OJ system developed by Zhang Haobin zhblue from China. HUSTOJ has security vulnerabilities; these vulnerabilities arise from the application not cleaning the input provided by users before exporting it to .xls files. This may lead to CSV injection and arbitrary command executi...
CVE-2026-23873 HUSTOJ is Vulnerable to Stored CSV Injection (Formula Injection) in Contest Rank Export
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection Formula Injection through the contest rank export functionality contestrank.xls.php and admin/ranklistexport.php. The application fails to sanitize...
CVE-2026-23873
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection Formula Injection through the contest rank export functionality contestrank.xls.php and admin/ranklistexport.php. The application fails to sanitize...
CVE-2026-23873 HUSTOJ is Vulnerable to Stored CSV Injection (Formula Injection) in Contest Rank Export
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection Formula Injection through the contest rank export functionality contestrank.xls.php and admin/ranklistexport.php. The application fails to sanitize...
CVE-2026-23873 HUSTOJ is Vulnerable to Stored CSV Injection (Formula Injection) in Contest Rank Export
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection Formula Injection through the contest rank export functionality contestrank.xls.php and admin/ranklistexport.php. The application fails to sanitize...
CVE-2022-42187
Hustoj 22.09.22 has a XSS Vulnerability in /admin/problemjudge.php...
EUVD-2025-25210
Malicious code in bioql PyPI...
EUVD-2022-45264
Malicious code in bioql PyPI...
CVE-2025-50938
Cross site scripting XSS vulnerability in Hustoj 2025-01-31 via the TID parameter to thread.php...
CVE-2025-50938
Cross site scripting XSS vulnerability in Hustoj 2025-01-31 via the TID parameter to thread.php...