Vulnerability in Zhblue Hustoj

CVE-2026-23873

hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admi…

EPSS: 0.000 (9.5th percentile) — read the EPSS interpretation.

Affected products

Zhblue Hustoj — versions <= 26.01.01

Weakness classification (CWE)

CWE-1236 — Improper Neutralization of Formula Elements in a CSV File

References

https://github.com/zhblue/hustoj/security/advisories/GHSA-gqwv-v7vx-2qjw (x_refsource_CONFIRM)