CVE-2026-42881
HIGHSTIGQter: Arbitrary File Write leading to Local Code Execution via Export HTML
Title source: cnaDescription
STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution (LCE) with the privileges of the user running STIGQter. This requires user interaction: the victim must open the malicious .stigqter file and explicitly run the "Export HTML" action. This vulnerability is fixed in 1.2.7.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/squinky86/STIGQter/security/advisories/GHSA-mcv5-5j7p-vqh7
X_Refsource_Misc x_refsource_misc
https://www.bitwizemusic.com/security/advisories/bve-2026-0007
Vendor Advisory
https://www.bitwizemusic.com/security/advisories/bve-2026-0007/
Scores
CVSS v4
8.4
EPSS
0.0015
EPSS Percentile
4.6%
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
CWE-73
Status
published
Products (1)
squinky86/STIGQter
>= 0.1.2, < 1.2.7
Published
May 14, 2026
Tracked Since
May 14, 2026