Search
Find a vulnerability
Search criteria
6 vulnerabilities found for SzafirHost by Krajowa Izba Rozliczeniowa
CVE-2026-13165 (GCVE-0-2026-13165)
Vulnerability from nvd – Published: 2026-06-29 12:16 – Updated: 2026-06-29 13:58
VLAI
Title
Remote Code Execution in SzafirHost
Summary
SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers). An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This can lead to remote code execution.
This issue was fixed in version 1.2.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/posts/2026/06/CVE-2026-13165 | third-party-advisory |
| https://www.elektronicznypodpis.pl/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Krajowa Izba Rozliczeniowa | SzafirHost |
Affected:
0 , < 1.2.2
(semver)
|
Date Public
2026-06-29 12:15
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:58:08.681080Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:58:14.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SzafirHost",
"vendor": "Krajowa Izba Rozliczeniowa",
"versions": [
{
"lessThan": "1.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mariusz Maik"
}
],
"datePublic": "2026-06-29T12:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSzafirHost \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003everifies the downloaded native library archive with one \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eJarFile\u003c/span\u003e parser (reading the Central Directory) but extracts native libraries with \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eJarInputStream parser\u003c/span\u003e (reading sequentially from local file headers).\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This\u0026nbsp;\u003c/span\u003ecan lead to remote code execution.\u003c/p\u003eThis issue was fixed in version 1.2.2.\u003cbr\u003e"
}
],
"value": "SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers).\u00a0An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This\u00a0can lead to remote code execution.\n\nThis issue was fixed in version 1.2.2."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T12:16:55.559Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/06/CVE-2026-13165"
},
{
"tags": [
"product"
],
"url": "https://www.elektronicznypodpis.pl/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote Code Execution in SzafirHost",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-13165",
"datePublished": "2026-06-29T12:16:55.559Z",
"dateReserved": "2026-06-24T13:07:31.310Z",
"dateUpdated": "2026-06-29T13:58:14.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44088 (GCVE-0-2026-44088)
Vulnerability from nvd – Published: 2026-05-15 08:48 – Updated: 2026-05-15 11:07
VLAI
Title
Remote Code Execution in SzafirHost
Summary
SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded.
This issue was fixed in version 1.2.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/posts/2026/05/CVE-2026-44088 | third-party-advisory |
| https://www.elektronicznypodpis.pl/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Krajowa Izba Rozliczeniowa | SzafirHost |
Affected:
0 , < 1.2.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44088",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T11:07:43.075751Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T11:07:58.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SzafirHost",
"vendor": "Krajowa Izba Rozliczeniowa",
"versions": [
{
"lessThan": "1.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mariusz Maik"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSzafirHost verifies the signature of the downloaded JAR file using class \u003ci\u003eJarInputStream\u003c/i\u003e (reading from the beginning of the file), but loads classes using class \u003ci\u003eJarFile/URLClassLoader\u003c/i\u003e (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded.\u003cbr\u003e\u003c/p\u003eThis issue was fixed in version 1.2.1."
}
],
"value": "SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded.\n\n\nThis issue was fixed in version 1.2.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T08:48:11.694Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/05/CVE-2026-44088"
},
{
"tags": [
"product"
],
"url": "https://www.elektronicznypodpis.pl/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote Code Execution in SzafirHost",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-44088",
"datePublished": "2026-05-15T08:48:11.694Z",
"dateReserved": "2026-05-05T09:40:05.100Z",
"dateUpdated": "2026-05-15T11:07:58.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26928 (GCVE-0-2026-26928)
Vulnerability from nvd – Published: 2026-04-02 14:01 – Updated: 2026-04-02 14:21
VLAI
Title
Lack of Dynamic Library Validation in SzafirHost
Summary
SzafirHost downloads necessary files in the context of the initiating web page. When called, SzafirHost updates its dynamic library. JAR files are correctly verified based on a list of trusted file hashes, and if a file was not on that list, it was checked to see if it had been digitally signed by the vendor. The application doesn't verify hash or vendor's digital signature of uploaded DLL, SO, JNILIB or DYLIB file. The attacker can provide malicious file which will be saved in users /temp folder and executed by the application.
This issue was fixed in version 1.1.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-354 - Improper Validation of Integrity Check Value
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/posts/2026/04/CVE-2026-26927 | third-party-advisory |
| https://www.elektronicznypodpis.pl/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Krajowa Izba Rozliczeniowa | SzafirHost |
Affected:
0 , < 1.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26928",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T14:21:35.804676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:21:50.711Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SzafirHost",
"vendor": "Krajowa Izba Rozliczeniowa",
"versions": [
{
"lessThan": "1.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Micha\u0142 Leszczy\u0144ski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SzafirHost\u0026nbsp;downloads necessary files in the context of the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003einitiating web page.\u003c/span\u003e\u0026nbsp;When called, SzafirHost updates its dynamic library. JAR files are correctly verified based on a list of trusted file hashes, and if a file was not on that list, it was checked to see if it had been digitally signed by the vendor. The application doesn\u0027t verify hash or vendor\u0027s digital signature of uploaded\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDLL, SO, JNILIB or DYLIB\u003c/span\u003e file. The attacker can provide malicious file which will be saved in users /temp folder\u0026nbsp;\u003cspan style=\"background-color: rgba(221, 223, 228, 0.04);\"\u003eand executed by the application.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 1.1.0."
}
],
"value": "SzafirHost\u00a0downloads necessary files in the context of the initiating web page.\u00a0When called, SzafirHost updates its dynamic library. JAR files are correctly verified based on a list of trusted file hashes, and if a file was not on that list, it was checked to see if it had been digitally signed by the vendor. The application doesn\u0027t verify hash or vendor\u0027s digital signature of uploaded\u00a0DLL, SO, JNILIB or DYLIB file. The attacker can provide malicious file which will be saved in users /temp folder\u00a0and executed by the application.\n\nThis issue was fixed in version 1.1.0."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-354",
"description": "CWE-354 Improper Validation of Integrity Check Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:01:42.262Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/04/CVE-2026-26927"
},
{
"tags": [
"product"
],
"url": "https://www.elektronicznypodpis.pl/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Lack of Dynamic Library Validation in SzafirHost",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-26928",
"datePublished": "2026-04-02T14:01:42.262Z",
"dateReserved": "2026-02-16T09:01:03.143Z",
"dateUpdated": "2026-04-02T14:21:50.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13165 (GCVE-0-2026-13165)
Vulnerability from cvelistv5 – Published: 2026-06-29 12:16 – Updated: 2026-06-29 13:58
VLAI
Title
Remote Code Execution in SzafirHost
Summary
SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers). An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This can lead to remote code execution.
This issue was fixed in version 1.2.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/posts/2026/06/CVE-2026-13165 | third-party-advisory |
| https://www.elektronicznypodpis.pl/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Krajowa Izba Rozliczeniowa | SzafirHost |
Affected:
0 , < 1.2.2
(semver)
|
Date Public
2026-06-29 12:15
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:58:08.681080Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:58:14.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SzafirHost",
"vendor": "Krajowa Izba Rozliczeniowa",
"versions": [
{
"lessThan": "1.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mariusz Maik"
}
],
"datePublic": "2026-06-29T12:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSzafirHost \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003everifies the downloaded native library archive with one \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eJarFile\u003c/span\u003e parser (reading the Central Directory) but extracts native libraries with \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eJarInputStream parser\u003c/span\u003e (reading sequentially from local file headers).\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This\u0026nbsp;\u003c/span\u003ecan lead to remote code execution.\u003c/p\u003eThis issue was fixed in version 1.2.2.\u003cbr\u003e"
}
],
"value": "SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers).\u00a0An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This\u00a0can lead to remote code execution.\n\nThis issue was fixed in version 1.2.2."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T12:16:55.559Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/06/CVE-2026-13165"
},
{
"tags": [
"product"
],
"url": "https://www.elektronicznypodpis.pl/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote Code Execution in SzafirHost",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-13165",
"datePublished": "2026-06-29T12:16:55.559Z",
"dateReserved": "2026-06-24T13:07:31.310Z",
"dateUpdated": "2026-06-29T13:58:14.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44088 (GCVE-0-2026-44088)
Vulnerability from cvelistv5 – Published: 2026-05-15 08:48 – Updated: 2026-05-15 11:07
VLAI
Title
Remote Code Execution in SzafirHost
Summary
SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded.
This issue was fixed in version 1.2.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/posts/2026/05/CVE-2026-44088 | third-party-advisory |
| https://www.elektronicznypodpis.pl/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Krajowa Izba Rozliczeniowa | SzafirHost |
Affected:
0 , < 1.2.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44088",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T11:07:43.075751Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T11:07:58.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SzafirHost",
"vendor": "Krajowa Izba Rozliczeniowa",
"versions": [
{
"lessThan": "1.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mariusz Maik"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSzafirHost verifies the signature of the downloaded JAR file using class \u003ci\u003eJarInputStream\u003c/i\u003e (reading from the beginning of the file), but loads classes using class \u003ci\u003eJarFile/URLClassLoader\u003c/i\u003e (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded.\u003cbr\u003e\u003c/p\u003eThis issue was fixed in version 1.2.1."
}
],
"value": "SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded.\n\n\nThis issue was fixed in version 1.2.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T08:48:11.694Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/05/CVE-2026-44088"
},
{
"tags": [
"product"
],
"url": "https://www.elektronicznypodpis.pl/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote Code Execution in SzafirHost",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-44088",
"datePublished": "2026-05-15T08:48:11.694Z",
"dateReserved": "2026-05-05T09:40:05.100Z",
"dateUpdated": "2026-05-15T11:07:58.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-26928 (GCVE-0-2026-26928)
Vulnerability from cvelistv5 – Published: 2026-04-02 14:01 – Updated: 2026-04-02 14:21
VLAI
Title
Lack of Dynamic Library Validation in SzafirHost
Summary
SzafirHost downloads necessary files in the context of the initiating web page. When called, SzafirHost updates its dynamic library. JAR files are correctly verified based on a list of trusted file hashes, and if a file was not on that list, it was checked to see if it had been digitally signed by the vendor. The application doesn't verify hash or vendor's digital signature of uploaded DLL, SO, JNILIB or DYLIB file. The attacker can provide malicious file which will be saved in users /temp folder and executed by the application.
This issue was fixed in version 1.1.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-354 - Improper Validation of Integrity Check Value
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/posts/2026/04/CVE-2026-26927 | third-party-advisory |
| https://www.elektronicznypodpis.pl/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Krajowa Izba Rozliczeniowa | SzafirHost |
Affected:
0 , < 1.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26928",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T14:21:35.804676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:21:50.711Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SzafirHost",
"vendor": "Krajowa Izba Rozliczeniowa",
"versions": [
{
"lessThan": "1.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Micha\u0142 Leszczy\u0144ski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SzafirHost\u0026nbsp;downloads necessary files in the context of the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003einitiating web page.\u003c/span\u003e\u0026nbsp;When called, SzafirHost updates its dynamic library. JAR files are correctly verified based on a list of trusted file hashes, and if a file was not on that list, it was checked to see if it had been digitally signed by the vendor. The application doesn\u0027t verify hash or vendor\u0027s digital signature of uploaded\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDLL, SO, JNILIB or DYLIB\u003c/span\u003e file. The attacker can provide malicious file which will be saved in users /temp folder\u0026nbsp;\u003cspan style=\"background-color: rgba(221, 223, 228, 0.04);\"\u003eand executed by the application.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 1.1.0."
}
],
"value": "SzafirHost\u00a0downloads necessary files in the context of the initiating web page.\u00a0When called, SzafirHost updates its dynamic library. JAR files are correctly verified based on a list of trusted file hashes, and if a file was not on that list, it was checked to see if it had been digitally signed by the vendor. The application doesn\u0027t verify hash or vendor\u0027s digital signature of uploaded\u00a0DLL, SO, JNILIB or DYLIB file. The attacker can provide malicious file which will be saved in users /temp folder\u00a0and executed by the application.\n\nThis issue was fixed in version 1.1.0."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-354",
"description": "CWE-354 Improper Validation of Integrity Check Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:01:42.262Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/04/CVE-2026-26927"
},
{
"tags": [
"product"
],
"url": "https://www.elektronicznypodpis.pl/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Lack of Dynamic Library Validation in SzafirHost",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-26928",
"datePublished": "2026-04-02T14:01:42.262Z",
"dateReserved": "2026-02-16T09:01:03.143Z",
"dateUpdated": "2026-04-02T14:21:50.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}