EIP-2026-119006

PRE-CVE

Oracle AutoVue 20.0.1 AutoVueX - ActiveX Control SaveViewStateToFile

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-119006. PoCs published by rgod.

AI-analyzed exploit summary The exploit demonstrates an arbitrary file creation/overwrite vulnerability in Oracle AutoVue 20.0.1 via the SaveViewStateToFile() method in the AutoVueX ActiveX control. The PoC shows how an attacker can overwrite files like boot.ini by leveraging the unsafe ActiveX control marked as 'safe for scripting'.

Description

Oracle AutoVue 20.0.1 AutoVueX - ActiveX Control SaveViewStateToFile

Exploits (1)

exploitdb WORKING POC VERIFIED

by rgod · textremotewindows

https://www.exploit-db.com/exploits/18016

View Code ZIP pw:eip

The exploit demonstrates an arbitrary file creation/overwrite vulnerability in Oracle AutoVue 20.0.1 via the SaveViewStateToFile() method in the AutoVueX ActiveX control. The PoC shows how an attacker can overwrite files like boot.ini by leveraging the unsafe ActiveX control marked as 'safe for scripting'.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Oracle AutoVue 20.0.1

No auth needed

Prerequisites: Internet Explorer with ActiveX enabled · Oracle AutoVue 20.0.1 installed

MITRE ATT&CK

T1218 - System Binary Proxy Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026