What is CVE-2026-42171?

CVE-2026-42171 is a high-severity vulnerability in Nullsoft Scriptable Install System, classified under Uncontrolled Search Path Element. CVSS score: 7.8/10. Published 2026-04-24.

How severe is CVE-2026-42171?

High severity. CVSS v3 base score is 7.8 out of 10.

Vulnerability in Nullsoft Scriptable Install System

CVE-2026-42171

NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the…

EPSS: 0.000 (0.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.8 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Affected products

Nullsoft Scriptable Install System — versions 3.06.1
Nullsoft Nullsoft_scriptable_install_system

Weakness classification (CWE)

CWE-427 — Uncontrolled Search Path Element

References

cve@mitre.org (Release Notes)
cve@mitre.org (Patch)
cve@mitre.org (Product)
cve@mitre.org (Product)

Frequently asked questions

What is CVE-2026-42171?: CVE-2026-42171 is a high-severity vulnerability in Nullsoft Scriptable Install System, classified under Uncontrolled Search Path Element. CVSS score: 7.8/10. Published 2026-04-24.
How severe is CVE-2026-42171?: High severity. CVSS v3 base score is 7.8 out of 10.