Nullsoft Scriptable Install System
by Nullsoft
CVEs (4)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42171 | Hig | 0.44 | 7.8 | 0.00 | Apr 24, 2026 | NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references). | ||
| CVE-2015-9267 | Med | 0.36 | 5.5 | 0.00 | Oct 1, 2018 | Nullsoft Scriptable Install System (NSIS) before 2.49 uses temporary folder locations that allow unprivileged local users to overwrite files. This allows a local attack in which either a plugin or the uninstaller can be replaced by a Trojan horse program. | ||
| CVE-2023-37378 | 0.00 | — | 0.01 | Jul 3, 2023 | Nullsoft Scriptable Install System (NSIS) before 3.09 mishandles access control for an uninstaller directory. | |||
| CVE-2015-0941 | 0.00 | — | 0.01 | Mar 22, 2015 | The Inetc plugin for Nullsoft Scriptable Install System (NSIS), as used in CERT/CC Failure Observation Engine (FOE) and other products, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and possibly execute arbitrary… |
- risk 0.44cvss 7.8epss 0.00
NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).
- risk 0.36cvss 5.5epss 0.00
Nullsoft Scriptable Install System (NSIS) before 2.49 uses temporary folder locations that allow unprivileged local users to overwrite files. This allows a local attack in which either a plugin or the uninstaller can be replaced by a Trojan horse program.
- CVE-2023-37378Jul 3, 2023risk 0.00cvss —epss 0.01
Nullsoft Scriptable Install System (NSIS) before 3.09 mishandles access control for an uninstaller directory.
- CVE-2015-0941Mar 22, 2015risk 0.00cvss —epss 0.01
The Inetc plugin for Nullsoft Scriptable Install System (NSIS), as used in CERT/CC Failure Observation Engine (FOE) and other products, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and possibly execute arbitrary…