CVE-2018-8619

HIGH

Internet Explorer 9-11 - Remote Code Execution via VBScript Execution Policy Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-8619. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit demonstrates a bypass of the VBScript execution policy in Internet Explorer 11 by leveraging VBScript in MSXML XSL files, which can execute despite the policy disabling VBScript in the Internet Zone.

Description

A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Explorer 10.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Google Security Research · textdoswindows
https://www.exploit-db.com/exploits/46023

This exploit demonstrates a bypass of the VBScript execution policy in Internet Explorer 11 by leveraging VBScript in MSXML XSL files, which can execute despite the policy disabling VBScript in the Internet Zone.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Internet Explorer 11 on Windows 10 Version 1803
No auth needed
Prerequisites: Web server hosting the exploit files · Target system with Internet Explorer 11 and VBScript execution policy applied for the Internet Zone
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/106119
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46023/

Scores

CVSS v3 7.5
EPSS 0.4576
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-269
Status published
Products (3)
microsoft/internet_explorer 9
microsoft/internet_explorer 10
microsoft/internet_explorer 11
Published Dec 12, 2018
Tracked Since Feb 18, 2026