Description
SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded.


This issue was fixed in version 1.2.1.
Published: 2026-05-15
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SzafirHost verifies the signature of a downloaded JAR file using JarInputStream, which reads from the beginning of the file, but then loads classes with JarFile/URLClassLoader, which reads the Central Directory from the end. This mismatch allows an attacker to append malicious ZIP entries to a legitimate signed JAR, causing the signature check to succeed while the malicious class is loaded. The attacker can thus achieve remote code execution within the host JVM, potentially compromising integrity and confidentiality of the affected system.

Affected Systems

Vulnerable product is SzafirHost provided by Krajowa Izba Rozliczeniowa. The flaw is present in all releases prior to 1.2.1. No specific patch version is listed beyond the note that version 1.2.1 contains the fix.

Risk and Exploitability

CVSS score of 8.6 indicates a high severity. EPSS score is not available, so exploitation probability is unknown, but the vulnerability is not listed in CISA’s KEV catalog. The attack path likely needs delivery of a crafted JAR to the application, implying supply‑chain or insider threat vectors. Once the malicious class is loaded, it could execute arbitrary code with the privileges of the JVM process, making the risk serious for systems that run SzafirHost with untrusted code.

Generated by OpenCVE AI on May 15, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SzafirHost to version 1.2.1 or later to apply the signature verification fix.
  • If an upgrade is not yet possible, limit the ability of the application to load external JAR files, or remove any automatic downloading of third‑party JARs from untrusted sources.
  • Examine deployment pipelines and access controls to ensure that only verified code is introduced to the environment, reducing the likelihood of a malicious JAR being executed.

Generated by OpenCVE AI on May 15, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Krajowa Izba Rozliczeniowa
Krajowa Izba Rozliczeniowa szafirhost
Vendors & Products Krajowa Izba Rozliczeniowa
Krajowa Izba Rozliczeniowa szafirhost

Fri, 15 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded. This issue was fixed in version 1.2.1.
Title Remote Code Execution in SzafirHost
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

Krajowa Izba Rozliczeniowa Szafirhost
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-15T11:07:58.948Z

Reserved: 2026-05-05T09:40:05.100Z

Link: CVE-2026-44088

cve-icon Vulnrichment

Updated: 2026-05-15T11:07:53.712Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-15T09:16:16.307

Modified: 2026-05-15T14:56:18.253

Link: CVE-2026-44088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T10:30:42Z

Weaknesses