Authenticated Admin RCE via Zip‑Slip in HUSTOJ Online Judge (CVE‑2026‑24479)
What Happened – A zip‑slip vulnerability (CVE‑2026‑24479) in the HUSTOJ online‑judge platform allows an authenticated administrator to upload a crafted ZIP archive that traverses the filesystem and writes a malicious PHP payload to the webroot, resulting in full remote code execution (RCE) on the web server.
Why It Matters for TPRM –
- RCE on a third‑party learning‑platform can be leveraged to pivot into internal networks of client institutions.
- Exploitable file‑upload paths often indicate insufficient input validation and insecure deployment pipelines.
- The vulnerability is publicly disclosed with a Metasploit module, raising the likelihood of rapid exploitation.
Who Is Affected – Educational institutions, research labs, and any organization that hosts or consumes the HUSTOJ online‑judge software (typically classified under EDU_RESEARCH).
Recommended Actions –
- Verify whether any current contracts rely on HUSTOJ or on services that embed it.
- Ensure the platform is upgraded to version v26.01.24 or later, which patches the zip‑slip flaw.
- Review web‑application firewall (WAF) rules to block malicious ZIP uploads and enforce strict file‑type validation.
- Conduct a penetration test focused on file‑upload endpoints for any other similar path‑traversal weaknesses.
Technical Notes – The exploit abuses the problem_import_qduoj.php script, which extracts ZIP entries without sanitising path components. By inserting ../ sequences, an attacker can write a PHP web‑shell to the document root. The payload is typically delivered via a Metasploit module that generates a Linux x86 Meterpreter ELF. No CVE‑specific patch is available in the upstream repository prior to v26.01.24. Source: https://www.exploit-db.com/exploits/52539