CVE-2026-44088

UNKNOWN 0.0

Remote Code Execution in SzafirHost

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded. This issue was fixed in version 1.2.1.

CWE	CWE-434
Vendor	krajowa izba rozliczeniowa
Product	szafirhost
Published	May 15, 2026

Stay Ahead of the Next One

Get instant alerts for krajowa izba rozliczeniowa szafirhost

Be the first to know when new unknown vulnerabilities affecting krajowa izba rozliczeniowa szafirhost are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Krajowa Izba Rozliczeniowa / SzafirHost

0 < 1.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cert.pl: https://cert.pl/posts/2026/05/CVE-2026-44088 elektronicznypodpis.pl: https://www.elektronicznypodpis.pl/

Credits

Mariusz Maik