CVE-2026-42881

Source
https://cve.org/CVERecord?id=CVE-2026-42881
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42881.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42881
Aliases
  • GHSA-mcv5-5j7p-vqh7
Published
2026-05-14T15:05:21.339Z
Modified
2026-07-08T08:13:03.609715Z
Severity
  • 8.4 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
STIGQter: Arbitrary File Write leading to Local Code Execution via Export HTML
Details

STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution (LCE) with the privileges of the user running STIGQter. This requires user interaction: the victim must open the malicious .stigqter file and explicitly run the "Export HTML" action. This vulnerability is fixed in 1.2.7.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42881.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22",
        "CWE-73"
    ]
}
References

Affected packages

Git / github.com/squinky86/stigqter

Affected ranges

Type
GIT
Repo
https://github.com/squinky86/stigqter
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "0.1.2"
        },
        {
            "fixed": "1.2.7"
        },
        {
            "introduced": "0"
        }
    ]
}

Affected versions

0.*
0.1.0_beta
0.1.1-beta
0.1.2-beta
0.1.3-beta
0.1.4-beta
0.1.5-beta
0.1.6-beta
1.*
1.0.0
1.0.1
1.0.2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42881.json"