CVE-2009-2261
PeaZIP <2.6.1-2.5.1 - Command Injection
Title source: llmDescription
PeaZIP 2.6.1, 2.5.1, and earlier on Windows allows user-assisted remote attackers to execute arbitrary commands via a .zip archive with a .txt file whose name contains | (pipe) characters and a command.
Exploits (3)
exploitdb
WORKING POC
VERIFIED
by Metasploit · rubylocalmultiple
https://www.exploit-db.com/exploits/16307
exploitdb
WORKING POC
VERIFIED
by Nine:Situations:Group · phplocalwindows
https://www.exploit-db.com/exploits/8881
metasploit
WORKING POC
EXCELLENT
by pyrokinesis, jduck · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/fileformat/peazip_command_injection.rb
Scores
EPSS
0.7059
EPSS Percentile
98.7%
Details
CWE
CWE-20
Status
published
Products (25)
giorgio_tani/peazip
1.0
giorgio_tani/peazip
1.1
giorgio_tani/peazip
1.2
giorgio_tani/peazip
1.3
giorgio_tani/peazip
1.4
giorgio_tani/peazip
1.5
giorgio_tani/peazip
1.6
giorgio_tani/peazip
1.7
giorgio_tani/peazip
1.8
giorgio_tani/peazip
1.8.1
... and 15 more
Published
Jun 30, 2009
Tracked Since
Feb 18, 2026