EIP-2026-117340

PRE-CVE

Intuit QuickBooks Desktop 2007 < 2016 - Arbitrary Code Execution

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-117340. PoCs published by Maxim Tomashevich.

AI-analyzed exploit summary This writeup describes an arbitrary SQL/code execution vulnerability in QuickBooks Desktop (2007-2016) due to unvalidated SQL scripts in company files. The PoC demonstrates launching Notepad.exe via embedded SQL commands, highlighting the risk of malicious payloads in QBW, QBA, QBX, and QBM files.

Description

Intuit QuickBooks Desktop 2007 < 2016 - Arbitrary Code Execution

Exploits (1)

exploitdb WRITEUP

by Maxim Tomashevich · textlocalwindows

https://www.exploit-db.com/exploits/39804

View Code ZIP pw:eip

This writeup describes an arbitrary SQL/code execution vulnerability in QuickBooks Desktop (2007-2016) due to unvalidated SQL scripts in company files. The PoC demonstrates launching Notepad.exe via embedded SQL commands, highlighting the risk of malicious payloads in QBW, QBA, QBX, and QBM files.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: QuickBooks Desktop 2007-2016

No auth needed

Prerequisites: Access to a malicious or modified QuickBooks company file (QBW, QBA, QBX, QBM)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026