EIP-2026-119659

PRE-CVE

Microsoft Excel 2016 1901 - XML External Entity Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-119659. PoCs published by hyp3rlinx.

AI-analyzed exploit summary This exploit demonstrates an XML External Entity (XXE) injection vulnerability in Microsoft Excel 2016 v1901. By crafting a malicious XML file and leveraging the 'Import as HTML page' functionality, an attacker can exfiltrate local data to a remote server.

Description

Microsoft Excel 2016 1901 - XML External Entity Injection

Exploits (1)

exploitdb WORKING POC

by hyp3rlinx · textlocalxml

https://www.exploit-db.com/exploits/47735

View Code ZIP pw:eip

This exploit demonstrates an XML External Entity (XXE) injection vulnerability in Microsoft Excel 2016 v1901. By crafting a malicious XML file and leveraging the 'Import as HTML page' functionality, an attacker can exfiltrate local data to a remote server.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Excel 2016 v1901

No auth needed

Prerequisites: User interaction to import the malicious XML file as an HTML page

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1213 - Data from Information Repositories

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026