{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-42171", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-24T21:20:35.145Z", "datePublished": "2026-04-24T21:20:35.525Z", "dateUpdated": "2026-04-25T19:33:05.317Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Nullsoft Scriptable Install System", "vendor": "Nullsoft", "versions": [{"lessThan": "3.12", "status": "affected", "version": "3.06.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references)."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-427", "description": "CWE-427 Uncontrolled Search Path Element", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-25T19:33:05.317Z"}, "references": [{"url": "https://nsis.sourceforge.io/Docs/AppendixF.html#v3.12-cl"}, {"url": "https://github.com/NSIS-Dev/nsis/commit/8e6f02205d5f22da6c7855dbfe59b2af667330ca"}, {"url": "https://github.com/NSIS-Dev/nsis/blob/7359413009afd4f0fff472d841fc2f2cc0e0a5f8/Source/exehead/util.c#L475-L484"}, {"url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-gettempfilename"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nullsoft:nullsoft_scriptable_install_system:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.06.1", "versionEndExcluding": "3.12"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-25T01:56:27.818440Z", "id": "CVE-2026-42171", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:56:37.358Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42171", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-25T01:56:27.818440Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T01:56:33.733Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Nullsoft", "product": "Nullsoft Scriptable Install System", "versions": [{"status": "affected", "version": "3.06.1", "lessThan": "3.12", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://nsis.sourceforge.io/Docs/AppendixF.html#v3.12-cl"}, {"url": "https://github.com/NSIS-Dev/nsis/commit/8e6f02205d5f22da6c7855dbfe59b2af667330ca"}, {"url": "https://github.com/NSIS-Dev/nsis/blob/7359413009afd4f0fff472d841fc2f2cc0e0a5f8/Source/exehead/util.c#L475-L484"}, {"url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-gettempfilename"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427 Uncontrolled Search Path Element"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nullsoft:nullsoft_scriptable_install_system:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.12", "versionStartIncluding": "3.06.1"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-25T19:33:05.317Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42171", "state": "PUBLISHED", "dateUpdated": "2026-04-25T19:33:05.317Z", "dateReserved": "2026-04-24T21:20:35.145Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-24T21:20:35.525Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references)."}], "id": "CVE-2026-42171", "lastModified": "2026-04-27T18:57:20.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-24T22:16:01.540", "references": [{"source": "cve@mitre.org", "url": "https://github.com/NSIS-Dev/nsis/blob/7359413009afd4f0fff472d841fc2f2cc0e0a5f8/Source/exehead/util.c#L475-L484"}, {"source": "cve@mitre.org", "url": "https://github.com/NSIS-Dev/nsis/commit/8e6f02205d5f22da6c7855dbfe59b2af667330ca"}, {"source": "cve@mitre.org", "url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-gettempfilename"}, {"source": "cve@mitre.org", "url": "https://nsis.sourceforge.io/Docs/AppendixF.html#v3.12-cl"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.06.1,3.12)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 88.0, "source": "matching"}]}, "original": {"product": "Nullsoft Scriptable Install System", "source": "cna", "vendor": "Nullsoft"}, "product": "nullsoft_scriptable_install_system", "vendor": "nullsoft"}], "analysis": {"en": {"generated_at": "2026-04-28T05:43:19.485145+00:00", "value": {"mitigation_remediation": ["Upgrade to NSIS version 3.12 or later, which removes the low-IL temp directory usage bug.", "If an upgrade is not immediately possible, ensure that the user account performing the installation does not have privileges that can manipulate or bypass the temp file creation (e.g., restrict write access to the temp directory and validate the return value of my_GetTempFileName).", "Continuously monitor for any exploitation attempts by reviewing installer logs and watching for unexpected files created in low\u2011IL temp directories; quarantine any anomalous activity immediately."], "summary": {"action": "Patch Now", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The flaw affects Nullsoft\u2019s Nullsoft Scriptable Install System from any vendor that distributes the OS\u2011level installer, including Windows clients and servers. The affected releases are NSIS 3.06.1 through 3.11.2; versions 3.12 and later incorporate the fix. No additional vendor or product variants are listed. If your environment uses NSIS 3.06.1\u20113.11.x, you are potentially vulnerable.", "description_and_impact": "NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 contains a flaw where the runtime may use a low integrity level temporary directory when running under the SYSTEM account. If a malicious local user can force the internal function my_GetTempFileName to return zero, the installer can write files to that low IL directory and then execute them with SYSTEM privileges. This vulnerability is a classic path bypass weakness (CWE-427) that directly permits escalation of local privileges, potentially allowing an attacker to modify the system or install persistent malware. The impact is significant because SYSTEM access provides full control over the OS, enabling complete compromise of the affected machine.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a high severity, with the EPSS score less than 1% suggesting a low probability of attackers actively exploiting this issue at present. The flaw is not listed in CISA\u2019s KEV catalog, further indicating limited known exploitation. The vulnerability requires a local attacker to trigger a zero return from my_GetTempFileName, which implies some user privilege is necessary but could be achieved from a compromised user account. The attack path is local, leveraging the installer's behavior under SYSTEM and the low IL temp directory, and does not require network reachability or external code injection."}}}}, "created": "2026-04-27T20:15:12.102752+00:00", "title": "Low IL Temp Directory Path Exposure Allows Local Privilege Escalation", "updated": "2026-04-28T05:45:23.301349+00:00", "vendors": ["nullsoft", "nullsoft$PRODUCT$nullsoft_scriptable_install_system"]}