CVE-2026-42171

CVSS 7.8 HIGHEPSS 0.2%CWE-427

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.8EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

24 Apr 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Nullsoft · Nullsoft Scriptable Install System

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/NSIS-Dev/nsis/blob/7359413009afd4f0fff472d841fc2f2cc0e0a5f8/Source/exehead/util.c#L475-L484 https://github.com/NSIS-Dev/nsis/commit/8e6f02205d5f22da6c7855dbfe59b2af667330ca https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-gettempfilename https://nsis.sourceforge.io/Docs/AppendixF.html#v3.12-cl