CVE-2001-0778

OmniHTTPd < 2.0.8 - Unauthenticated Source Code Disclosure via URL-Encoded Space

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2001-0778. PoCs published by astral.

AI-analyzed exploit summary This exploit leverages a Unicode space encoding flaw in OmniHTTPD to disclose source code of files (.php, .pl, or .shtml) by appending %20 (Unicode space) to the GET request. The vulnerability arises due to improper handling of Unicode-encoded spaces in file requests.

Description

OmniHTTPd 2.0.8 and earlier allow remote attackers to obtain source code via a GET request with the URL-encoded symbol for a space (%20).

Exploits (1)

exploitdb WORKING POC VERIFIED
by astral · textremotewindows
https://www.exploit-db.com/exploits/20886

This exploit leverages a Unicode space encoding flaw in OmniHTTPD to disclose source code of files (.php, .pl, or .shtml) by appending %20 (Unicode space) to the GET request. The vulnerability arises due to improper handling of Unicode-encoded spaces in file requests.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: OmniHTTPD
No auth needed
Prerequisites: Target server running OmniHTTPD · Network access to the server
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/6621
Various Sources x_refsource_confirm
http://www.omnicron.ca/httpd/docs/release.html
Exploit, Vendor Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0248.html

Scores

EPSS 0.0630
EPSS Percentile 92.8%

Details

Status published
Products (1)
omnicron/omnihttpd < 2.0.8
Published Oct 18, 2001
Tracked Since Feb 18, 2026