The vulnerability CVE-2026-24479 affects the zhblue hustoj platform, an open-source online judge system widely used for programming contests and training. The root cause is improper limitation of pathnames (CWE-22) during the extraction of uploaded ZIP archives in the problem_import_qduoj.php and problem_import_hoj.php modules. Specifically, these modules fail to sanitize filenames inside ZIP files, allowing attackers to include path traversal sequences such as '../../shell.php'. When the server extracts these files, it writes them outside the intended directory, often into the web root, enabling attackers to deploy malicious scripts. This leads to remote code execution (RCE) with no need for authentication or user interaction, making exploitation straightforward and highly impactful. The vulnerability affects all versions prior to 26.01.24, which contains the patch. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) reflects network attack vector, low complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild yet, the critical nature and ease of exploitation make this a significant threat. The vulnerability is particularly relevant for organizations running hustoj instances exposed to the internet, especially educational institutions and competitive programming platforms.

For European organizations, the impact of this vulnerability can be severe. Educational institutions, universities, and coding competition platforms that deploy hustoj for training and contests are at risk of unauthorized remote code execution, which can lead to full system compromise. Attackers could deploy web shells, steal sensitive data, manipulate contest results, or pivot to other internal systems. The breach of integrity and availability of the online judge platform can disrupt academic activities and damage reputations. Additionally, compromised servers could be used as a foothold for further attacks within the organization or for launching attacks against other targets. Given the critical CVSS score and the lack of required authentication, the threat is highly relevant for any European entity using vulnerable versions of hustoj, especially those with public-facing installations.

Organizations should immediately upgrade all hustoj instances to version 26.01.24 or later, which contains the fix for this vulnerability. If immediate patching is not possible, implement strict input validation and sanitization on uploaded ZIP files to reject any files containing path traversal sequences. Employ web application firewalls (WAFs) with rules to detect and block suspicious ZIP uploads. Restrict file system permissions so that the web server user cannot write outside designated directories. Monitor server logs for unusual file extraction activities or unexpected file creations in the web root. Conduct regular security audits of the online judge environment and isolate it from critical internal networks to limit potential lateral movement. Finally, educate administrators about the risks of accepting untrusted ZIP archives and enforce secure coding practices for handling file uploads.