{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-12T07:37:15.029","vulnerabilities":[{"cve":{"id":"CVE-2026-24479","sourceIdentifier":"security-advisories@github.com","published":"2026-01-27T01:16:02.017","lastModified":"2026-03-02T21:32:57.010","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue."},{"lang":"es","value":"HUSTOF es un juez en línea de código abierto basado en PHP/C++/MySQL/Linux para entrenamiento de ACM/ICPC y NOIP. Antes de la versión 26.01.24, los módulos problem_import_qduoj.php y problem_import_hoj.php no logran sanear correctamente los nombres de archivo dentro de los archivos ZIP subidos. Los atacantes pueden crear un archivo ZIP malicioso que contenga archivos con secuencias de salto de ruta (p. ej., ../../shell.php). Cuando es extraído por el servidor, esto permite escribir archivos en ubicaciones arbitrarias en la raíz web, lo que lleva a la Ejecución Remota de Código (RCE). La versión 26.01.24 contiene una solución para el problema."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:hustoj:hustoj:*:*:*:*:*:*:*:*","versionEndExcluding":"26.01.24","matchCriteriaId":"3C2DFB45-A477-4B77-A437-C7F3C810B8B6"}]}]}],"references":[{"url":"https://github.com/zhblue/hustoj/commit/902bd09e6d0011fe89cd84d4236899314b33101f","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/zhblue/hustoj/security/advisories/GHSA-xmgg-2rw4-7fxj","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}