EIP-2026-119655

PRE-CVE

Windows PowerShell - Event Log Bypass Single Quote Code Execution

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-119655. PoCs published by hyp3rlinx.

AI-analyzed exploit summary This advisory details a PowerShell single quote bypass and event log truncation vulnerability, allowing arbitrary code execution and evasion of logging mechanisms. The technique leverages semicolons and ampersands in filenames to execute unintended commands while masking the true filename in PowerShell event logs.

Description

Windows PowerShell - Event Log Bypass Single Quote Code Execution

Exploits (1)

exploitdb WRITEUP

by hyp3rlinx · textlocalwindows_x86-64

https://www.exploit-db.com/exploits/51843

View Code ZIP pw:eip

This advisory details a PowerShell single quote bypass and event log truncation vulnerability, allowing arbitrary code execution and evasion of logging mechanisms. The technique leverages semicolons and ampersands in filenames to execute unintended commands while masking the true filename in PowerShell event logs.

Classification

Writeup 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows PowerShell (built on .NET Framework)

No auth needed

Prerequisites: Local access to a Windows system with PowerShell · Ability to craft filenames with special characters

MITRE ATT&CK

T1059.001 - PowerShell T1562.002 - Disable Windows Event Logging

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026