CVE-2026-42171 HIGH

CVE-2026-42171

Vendor Nullsoft
Product Nullsoft Scriptable Install System
Weakness CWE-427
Published April 24, 2026
Last update April 25, 2026

CVSS base score

7.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).

Key dates

02Disclosure timeline

April 24, 2026 CVE published
April 25, 2026 Record updated