Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution (LCE) with the privileges of the user running STIGQter. This requires user interaction: the victim must open the malicious .stigqter file and explicitly run the "Export HTML" action. This vulnerability is fixed in 1.2.7.
AnalysisAI
Path traversal in STIGQter 0.1.2 through 1.2.6 allows local code execution when users open malicious .stigqter files and explicitly run the 'Export HTML' action. The CWE-22 path traversal flaw enables attackers to write arbitrary files with the victim's privileges, achieving code execution. User interaction is mandatory - victims must both open a crafted file and trigger the specific export function. No public exploit code or active exploitation has been identified at time of analysis, though the attack path is straightforward for targeted social engineering. Fixed in version 1.2.7 per vendor advisory.
Technical ContextAI
STIGQter is an open-source alternative to DISA's STIG Viewer for managing Security Technical Implementation Guides. The vulnerability exploits CWE-22 (improper limitation of a pathname to a restricted directory) during HTML export operations. When processing .stigqter project files, the application fails to properly sanitize file paths before writing export output. An attacker can embed path traversal sequences (e.g., '../../../') in a malicious project file to write arbitrary content outside intended directories. The CVSS 4.0 vector AV:L/AC:L/UI:A indicates local attack vector with low complexity but required user interaction - victims must explicitly open the malicious file and invoke the vulnerable export function. The high confidentiality, integrity, and availability impacts (VC:H/VI:H/VA:H) reflect that successful exploitation executes arbitrary code with the full privileges of the STIGQter process owner.
RemediationAI
Upgrade to STIGQter version 1.2.7 or later, which contains the fix for the path traversal vulnerability per GitHub advisory GHSA-mcv5-5j7p-vqh7 (https://github.com/squinky86/STIGQter/security/advisories/GHSA-mcv5-5j7p-vqh7) and vendor advisory BVE-2026-0007 (https://www.bitwizemusic.com/security/advisories/bve-2026-0007). Organizations unable to immediately upgrade should implement compensating controls: restrict opening .stigqter files to those from verified trusted sources only, disable or restrict the 'Export HTML' function through application configuration if business processes allow, and run STIGQter under least-privilege user accounts to limit code execution impact. Note that disabling HTML export may impact compliance reporting workflows. Organizations should audit existing .stigqter project files for unexpected path traversal sequences before opening in any version, and establish secure channels for sharing project files within teams.
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30305