Description
Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched.
In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via Szafir SDK Web browser addon. No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the "remember" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker without any interaction.

This issue was fixed in version 0.0.17.4.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Untrusted download via Szafir SDK Web plug‑in
Action: Apply patch
AI Analysis

Impact

This vulnerability, identified as a CWE‑348 weakness, allows an unauthenticated attacker to alter the HTTP Origin used by the Szafir SDK Web plug‑in when launching the SzafirHost application. Because the plug‑in performs no validation on the document_base_url parameter, the attacker can redirect the application call to any address, which is then shown in the user confirmation prompt. If the victim confirms or selects “remember”, the application runs with the attacker‑supplied arguments and may download additional files or libraries from the attacker’s site, potentially leading to execution of malicious code.

Affected Systems

The flaw affects the Szafir SDK Web plug‑in distributed by Krajowa Izba Rozliczeniowa. All releases prior to version 0.0.17.4 are vulnerable. The issue was resolved in 0.0.17.4; applying that upgrade removes the vulnerability.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity. No EPSS score is available and the flaw is not listed in the CISA KEV catalog, suggesting limited exposure in the wild. The likely attack vector involves a malicious web page that triggers the plug‑in to launch SzafirHost with forged parameters; once the user accepts the confirmation prompt, the attacker’s site controls the application context and can download arbitrary content. Selecting the “remember” option elevates the risk by bypassing future prompts and enabling silent execution.

Generated by OpenCVE AI on April 2, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Szafir SDK Web to version 0.0.17.4 or newer
  • If an upgrade is not feasible, disable or uninstall the Szafir SDK Web plug‑in
  • Avoid selecting the “remember” option or clear remembered settings to prevent silent execution
  • Verify that any confirmation prompt for SzafirHost reflects the actual site and monitor for unexpected prompts

Generated by OpenCVE AI on April 2, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Krajowa Izba Rozliczeniowa
Krajowa Izba Rozliczeniowa szafir Sdk Web
Vendors & Products Krajowa Izba Rozliczeniowa
Krajowa Izba Rozliczeniowa szafir Sdk Web

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via Szafir SDK Web browser addon. No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the "remember" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker without any interaction. This issue was fixed in version 0.0.17.4.
Title URL (HTTP Origin) call location spoofing in Szafir SDK Web
Weaknesses CWE-348
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Krajowa Izba Rozliczeniowa Szafir Sdk Web
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-02T14:19:19.180Z

Reserved: 2026-02-16T09:01:03.142Z

Link: CVE-2026-26927

cve-icon Vulnrichment

Updated: 2026-04-02T14:19:13.159Z

cve-icon NVD

Status : Deferred

Published: 2026-04-02T14:16:25.873

Modified: 2026-04-27T19:22:58.477

Link: CVE-2026-26927

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:05Z

Weaknesses