CVE-2001-0089

Internet Explorer <5.6 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2001-0089. PoCs published by Key.

AI-analyzed exploit summary This exploit leverages a design flaw in the INPUT TYPE=FILE HTML form element to trick users into uploading known files from their local system. The VBScript manipulates key presses to inject a predefined file path (e.g., C:\WINNT\REPAIR\SAM._) into the file input field, potentially exposing sensitive information.

Description

Internet Explorer 5.0 through 5.5 allows remote attackers to read arbitrary files from the client via the INPUT TYPE element in an HTML form, aka the "File Upload via Form" vulnerability.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Key · htmlremotewindows
https://www.exploit-db.com/exploits/20459

This exploit leverages a design flaw in the INPUT TYPE=FILE HTML form element to trick users into uploading known files from their local system. The VBScript manipulates key presses to inject a predefined file path (e.g., C:\WINNT\REPAIR\SAM._) into the file input field, potentially exposing sensitive information.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Internet Explorer 5 (and potentially other versions)
No auth needed
Prerequisites: Known filename on victim's machine · Victim interaction (typing in the form field) · Read access to the target file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/5615

Scores

EPSS 0.1447
EPSS Percentile 96.2%

Details

Status published
Products (3)
microsoft/internet_explorer 5.0
microsoft/internet_explorer 5.01
microsoft/internet_explorer < 5.5
Published Feb 16, 2001
Tracked Since Feb 18, 2026