HIGHCVE-2026-42881Published 2026-05-14Modified 2026-05-14CNA GitHub_M

CVE-2026-42881: STIGQter: Arbitrary File Write leading to Local Code Execution via Export HTML

STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution (LCE) with the privileges of the user running STIGQter. This requires user interaction: the victim must open the malicious .stigqter file and explicitly run the "Export HTML" action. This vulnerability is fixed in 1.2.7.

CVSS v4.0: 8.4
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

squinky86 / STIGQter
>= 0.1.2, < 1.2.7

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/squinky86/STIGQter/security/advisories/GHSA-mcv5-5j7p-vqh7
https://www.bitwizemusic.com/security/advisories/bve-2026-0007

Metrics