EIP-2026-117836

PRE-CVE

Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-117836. PoCs published by Eduardo Braun Prado.

AI-analyzed exploit summary This exploit leverages a vulnerability in Real Player v.20.0.8.310's G2 Control component, allowing remote code execution via 'javascript:' URIs passed to the 'DoGoToURL()' method. The PoC plants an HTA file in the user's startup folder, which executes on next logon or boot.

Description

Real Player v.20.0.8.310 G2 Control - 'DoGoToURL()' Remote Code Execution (RCE)

Exploits (1)

exploitdb WORKING POC

by Eduardo Braun Prado · textlocalwindows

https://www.exploit-db.com/exploits/50953

View Code ZIP pw:eip

This exploit leverages a vulnerability in Real Player v.20.0.8.310's G2 Control component, allowing remote code execution via 'javascript:' URIs passed to the 'DoGoToURL()' method. The PoC plants an HTA file in the user's startup folder, which executes on next logon or boot.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Real Player v.20.0.8.310

No auth needed

Prerequisites: Web server setup · Victim to download and open a malicious RAM file

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026