The vulnerability identified as CVE-2026-24479 affects the zhblue hustoj platform, an open-source online judge system widely used for ACM/ICPC and NOIP training. The root cause is improper limitation of pathname to a restricted directory (CWE-22) in the problem_import_qduoj.php and problem_import_hoj.php modules. These modules handle ZIP file uploads containing problem data. Prior to version 26.01.24, the system fails to sanitize filenames inside ZIP archives, allowing attackers to embed files with path traversal sequences such as '../../shell.php'. When the server extracts these files, it writes them outside the intended directory, typically into the web root, enabling attackers to place malicious scripts. This leads to remote code execution (RCE) without requiring any authentication or user interaction, making exploitation straightforward. The vulnerability has a CVSS 4.0 base score of 9.3, reflecting its critical nature with network attack vector, low attack complexity, no privileges or user interaction needed, and high impact on confidentiality, integrity, and availability. Although no exploits are currently known in the wild, the ease of exploitation and potential damage make this a significant threat. The issue was fixed in version 26.01.24 by properly sanitizing file paths and restricting extraction locations. Organizations running older versions remain vulnerable and should prioritize patching. The vulnerability affects Linux-based deployments of hustoj that rely on PHP, C++, and MySQL, common in educational and competitive programming environments.

For European organizations, particularly universities, coding bootcamps, and competitive programming platforms using hustoj, this vulnerability poses a severe risk. Exploitation can lead to full system compromise via remote code execution, allowing attackers to deploy web shells, steal sensitive data, manipulate competition results, or pivot within internal networks. The breach of confidentiality, integrity, and availability can damage institutional reputation and disrupt educational activities. Given the criticality and ease of exploitation, attackers could leverage this vulnerability to target high-profile academic institutions or government-affiliated training centers. The impact extends beyond the compromised server, potentially affecting connected systems and data. Additionally, the vulnerability could be exploited to launch further attacks, including ransomware or espionage, especially in countries with strategic interest in academic research and technology development.

Immediate upgrade to hustoj version 26.01.24 or later is the primary mitigation step, as this version contains the fix for the path traversal issue. Until upgrade is possible, organizations should implement strict validation of uploaded ZIP files, rejecting archives containing path traversal sequences or unexpected directory structures. Employ sandboxed extraction environments with limited permissions to prevent files from being written outside designated directories. Web server configurations should restrict execution permissions in upload directories and enforce least privilege principles. Monitoring and logging of file upload activities can help detect suspicious attempts. Regular security audits and penetration testing focused on file upload functionalities are recommended. Additionally, network segmentation can limit the impact of a compromised server. Educating administrators about this vulnerability and ensuring timely patch management processes are critical to prevent exploitation.