CVE-2009-2261

PeaZIP <2.6.1-2.5.1 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2009-2261. PoCs published by Metasploit, Nine:Situations:Group, pyrokinesis, jduck, including Metasploit module exploits/multi/fileformat/peazip_command_injection.

AI-analyzed exploit summary This exploit leverages a command injection vulnerability in PeaZip by crafting a malicious ZIP file with a specially named file entry. When the victim opens the ZIP and double-clicks the file, arbitrary commands are executed.

Description

PeaZIP 2.6.1, 2.5.1, and earlier on Windows allows user-assisted remote attackers to execute arbitrary commands via a .zip archive with a .txt file whose name contains | (pipe) characters and a command.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalmultiple
https://www.exploit-db.com/exploits/16307

This exploit leverages a command injection vulnerability in PeaZip by crafting a malicious ZIP file with a specially named file entry. When the victim opens the ZIP and double-clicks the file, arbitrary commands are executed.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PeaZip <= 2.6.1
No auth needed
Prerequisites: Victim must open the malicious ZIP file and interact with the crafted file entry
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Nine:Situations:Group · phplocalwindows
https://www.exploit-db.com/exploits/8881

This exploit generates a malicious ZIP file that leverages a command injection vulnerability in PeaZIP <= 2.6.1. When the victim opens the ZIP and double-clicks the crafted file, arbitrary commands (e.g., fetching and executing a remote batch file) are executed via pipe manipulation in the filename.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: PeaZIP <= 2.6.1
No auth needed
Prerequisites: Victim must open the malicious ZIP file and interact with the crafted file entry
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by pyrokinesis, jduck · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/fileformat/peazip_command_injection.rb

This Metasploit module exploits a command injection vulnerability in PeaZip (CVE-2009-2261) by crafting a malicious ZIP file. When the victim opens the file and double-clicks the specially named entry, arbitrary commands are executed.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: PeaZip < 2.6.2
No auth needed
Prerequisites: Victim must open the malicious ZIP file and interact with the crafted entry
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/8881

Scores

EPSS 0.7059
EPSS Percentile 98.7%

Details

CWE
CWE-20
Status published
Products (25)
giorgio_tani/peazip 1.0
giorgio_tani/peazip 1.1
giorgio_tani/peazip 1.2
giorgio_tani/peazip 1.3
giorgio_tani/peazip 1.4
giorgio_tani/peazip 1.5
giorgio_tani/peazip 1.6
giorgio_tani/peazip 1.7
giorgio_tani/peazip 1.8
giorgio_tani/peazip 1.8.1
... and 15 more
Published Jun 30, 2009
Tracked Since Feb 18, 2026