CVE-2026-23873: CWE-1236: Improper Neutralization of Formula Elements in a CSV File in zhblue hustoj
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication.
CVE-2026-23873: CWE-1236: Improper Neutralization of Formula Elements in a CSV File in zhblue hustoj
Description
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-16T21:02:02.899Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 697162dc4623b1157cf42cb6
Added to database: 1/21/2026, 11:35:56 PM
Last updated: 1/21/2026, 11:37:12 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1036: CWE-862 Missing Authorization in 10web Photo Gallery by 10Web – Mobile-Friendly Image Gallery
MediumCVE-2026-23737: CWE-502: Deserialization of Untrusted Data in lxsmnsyc seroval
HighCVE-2026-23736: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in lxsmnsyc seroval
HighCVE-2026-23996: CWE-208: Observable Timing Discrepancy in Athroniaeth fastapi-api-key
LowCVE-2026-23990: CWE-269: Improper Privilege Management in controlplaneio-fluxcd flux-operator
MediumActions
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.