CVE-2026-23873

MEDIUM EPSS 39.7%

Published Jan 22, 20265mo ago · Modified Jun 17, 20261w ago

5.2 CVSS 4.0

Medium

Published Jan 22, 2026 5mo ago

Last Modified Jun 17, 2026 1w ago

Description

hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication.

CVSS Details

Base Score

5.2

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction A

Scope X

Threat Intelligence

EPSS Exploit Probability

39.7% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-1236

Affected Products 1

Vendor	Product	Version	Range
hustoj	hustoj	*	≤26.01.31

References 1

github.com https://github.com/zhblue/hustoj/security/advisories/GHSA-gqwv-v7vx-2qjw

ExploitMitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.