CVE-2026-42881 HIGH

CVE-2026-42881: STIGQter: Arbitrary File Write leading to Local Code Execution via Export HTML

Vendor Squinky86
Product STIGQter
Weakness CWE-22 · Path traversal
Published May 14, 2026
Last update May 14, 2026

CVSS base score

8.4/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution (LCE) with the privileges of the user running STIGQter. This requires user interaction: the victim must open the malicious .stigqter file and explicitly run the "Export HTML" action. This vulnerability is fixed in 1.2.7.

Key dates

02Disclosure timeline

May 14, 2026 CVE published
May 14, 2026 Record updated