CVE-2026-23873: CWE-1236: Improper Neutralization of Formula Elements in a CSV File in zhblue hustoj
CVE-2026-23873 is a medium-severity CSV Injection vulnerability affecting all versions of the open-source online judge system hustoj (<= 26. 01. 01). The vulnerability arises from improper sanitization of user input in the 'Nickname' field when exporting contest rankings to Excel-compatible . xls files. Malicious users can inject Excel formulas that execute upon opening the exported file by administrators, potentially leading to remote code execution or data exfiltration on the administrator's machine. Exploitation requires an attacker to have a low-privilege account and some user interaction (administrator opening the file). No patch is currently available. European organizations using hustoj for programming contests or training should be cautious, especially educational institutions and competitive programming platforms. Mitigations include disabling automatic formula execution in Excel, sanitizing user inputs before export, and restricting export functionality to trusted users.
AI Analysis
Technical Summary
CVE-2026-23873 identifies a CSV Injection vulnerability in the open-source online judge system hustoj, which is widely used for ACM/ICPC and NOIP training. The vulnerability is due to improper neutralization of formula elements (CWE-1236) in CSV files generated by the contest rank export functionalities (contestrank.xls.php and admin/ranklist_export.php). Specifically, the application fails to sanitize the 'Nickname' field input from users before embedding it into an .xls file that is rendered as an HTML table but opened by Microsoft Excel. If a malicious user sets their nickname to a string starting with an Excel formula (e.g., =CMD|'/C calc'!A0), when an administrator exports and opens the rank list, Excel will interpret and execute the formula. This can lead to arbitrary command execution (RCE) on the administrator’s machine or data exfiltration, posing a significant risk to confidentiality and integrity. The vulnerability requires low privileges for the attacker but does require user interaction (opening the file) and some privileges for the victim (administrator). No official patch or fix is available at the time of publication, increasing the risk for organizations relying on this software. The CVSS 4.0 score is 5.2 (medium), reflecting the moderate impact and exploitation complexity.
Potential Impact
For European organizations, especially educational institutions, competitive programming platforms, and training centers using hustoj, this vulnerability poses a risk of remote code execution on administrative machines. Successful exploitation could lead to unauthorized access to sensitive data, lateral movement within networks, or disruption of contest operations. Since the attack vector involves exporting and opening rank lists, it targets administrative users who may have elevated privileges, increasing potential damage. The lack of a patch means organizations must rely on mitigations to prevent exploitation. The impact on confidentiality and integrity is significant if exploited, and availability could also be affected if malicious commands disrupt systems. Given the widespread use of Microsoft Excel in Europe and the popularity of hustoj in programming education, the threat is relevant and should be addressed promptly.
Mitigation Recommendations
1. Implement input sanitization on the 'Nickname' field to neutralize any formula characters (e.g., prefixing with a single quote or removing leading '=' characters) before exporting to Excel files. 2. Restrict the export functionality to highly trusted users or administrators only, minimizing exposure. 3. Educate administrators to disable automatic formula execution in Excel by enabling the 'Disable automatic links' or 'Disable external content' settings. 4. Use alternative export formats that do not interpret formulas, such as plain CSV with proper escaping or PDF exports. 5. Monitor and audit exported files for suspicious content before opening. 6. Consider sandboxing or opening exported files in isolated environments to limit potential damage. 7. Engage with the hustoj community or maintainers to prioritize development of an official patch. 8. Regularly update and patch related software components and maintain strong endpoint protection on administrative machines.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden
CVE-2026-23873: CWE-1236: Improper Neutralization of Formula Elements in a CSV File in zhblue hustoj
Description
CVE-2026-23873 is a medium-severity CSV Injection vulnerability affecting all versions of the open-source online judge system hustoj (<= 26. 01. 01). The vulnerability arises from improper sanitization of user input in the 'Nickname' field when exporting contest rankings to Excel-compatible . xls files. Malicious users can inject Excel formulas that execute upon opening the exported file by administrators, potentially leading to remote code execution or data exfiltration on the administrator's machine. Exploitation requires an attacker to have a low-privilege account and some user interaction (administrator opening the file). No patch is currently available. European organizations using hustoj for programming contests or training should be cautious, especially educational institutions and competitive programming platforms. Mitigations include disabling automatic formula execution in Excel, sanitizing user inputs before export, and restricting export functionality to trusted users.
AI-Powered Analysis
Technical Analysis
CVE-2026-23873 identifies a CSV Injection vulnerability in the open-source online judge system hustoj, which is widely used for ACM/ICPC and NOIP training. The vulnerability is due to improper neutralization of formula elements (CWE-1236) in CSV files generated by the contest rank export functionalities (contestrank.xls.php and admin/ranklist_export.php). Specifically, the application fails to sanitize the 'Nickname' field input from users before embedding it into an .xls file that is rendered as an HTML table but opened by Microsoft Excel. If a malicious user sets their nickname to a string starting with an Excel formula (e.g., =CMD|'/C calc'!A0), when an administrator exports and opens the rank list, Excel will interpret and execute the formula. This can lead to arbitrary command execution (RCE) on the administrator’s machine or data exfiltration, posing a significant risk to confidentiality and integrity. The vulnerability requires low privileges for the attacker but does require user interaction (opening the file) and some privileges for the victim (administrator). No official patch or fix is available at the time of publication, increasing the risk for organizations relying on this software. The CVSS 4.0 score is 5.2 (medium), reflecting the moderate impact and exploitation complexity.
Potential Impact
For European organizations, especially educational institutions, competitive programming platforms, and training centers using hustoj, this vulnerability poses a risk of remote code execution on administrative machines. Successful exploitation could lead to unauthorized access to sensitive data, lateral movement within networks, or disruption of contest operations. Since the attack vector involves exporting and opening rank lists, it targets administrative users who may have elevated privileges, increasing potential damage. The lack of a patch means organizations must rely on mitigations to prevent exploitation. The impact on confidentiality and integrity is significant if exploited, and availability could also be affected if malicious commands disrupt systems. Given the widespread use of Microsoft Excel in Europe and the popularity of hustoj in programming education, the threat is relevant and should be addressed promptly.
Mitigation Recommendations
1. Implement input sanitization on the 'Nickname' field to neutralize any formula characters (e.g., prefixing with a single quote or removing leading '=' characters) before exporting to Excel files. 2. Restrict the export functionality to highly trusted users or administrators only, minimizing exposure. 3. Educate administrators to disable automatic formula execution in Excel by enabling the 'Disable automatic links' or 'Disable external content' settings. 4. Use alternative export formats that do not interpret formulas, such as plain CSV with proper escaping or PDF exports. 5. Monitor and audit exported files for suspicious content before opening. 6. Consider sandboxing or opening exported files in isolated environments to limit potential damage. 7. Engage with the hustoj community or maintainers to prioritize development of an official patch. 8. Regularly update and patch related software components and maintain strong endpoint protection on administrative machines.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-16T21:02:02.899Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 697162dc4623b1157cf42cb6
Added to database: 1/21/2026, 11:35:56 PM
Last enriched: 1/29/2026, 8:40:55 AM
Last updated: 2/7/2026, 1:17:58 PM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Organizations Urged to Replace Discontinued Edge Devices
MediumCVE-2026-2085: Command Injection in D-Link DWR-M921
HighCVE-2026-2084: OS Command Injection in D-Link DIR-823X
HighCVE-2026-2083: SQL Injection in code-projects Social Networking Site
MediumCVE-2026-2082: OS Command Injection in D-Link DIR-823X
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.