{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26927", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-02-16T09:01:03.142Z", "datePublished": "2026-04-02T14:01:39.075Z", "dateUpdated": "2026-04-02T14:19:19.180Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Szafir SDK Web", "vendor": "Krajowa Izba Rozliczeniowa", "versions": [{"lessThan": "0.0.17.4", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Micha\u0142 Leszczy\u0144ski"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Szafir SDK Web</span> is a browser plug-in that can run SzafirHost application which download the necessary files when launched.<br>In <span style=\"background-color: rgb(255, 255, 255);\">Szafir SDK Web</span> it is possible to change the URL (HTTP Origin) of the application call location. <span style=\"background-color: rgb(255, 255, 255);\">An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">Szafir SDK Web</span> browser addon.</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download <span style=\"background-color: rgb(255, 255, 255);\">additional files and libraries from that website</span>.</span> When victim accepts the application execution for the URL showed in the confirmation prompt with the \"remember\" option <span style=\"background-color: rgb(255, 255, 255);\">before</span>, the prompt won't be shown and the application will be called in the context of URL provided by the attacker&nbsp;without any interaction.<br><br>This issue was fixed in version 0.0.17.4.<br>"}], "value": "Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched.\nIn Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via\u00a0Szafir SDK Web browser addon.\u00a0No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown\u00a0in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the \"remember\" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker\u00a0without any interaction.\n\nThis issue was fixed in version 0.0.17.4."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-348", "description": "CWE-348 Use of Less Trusted Source", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-02T14:01:39.075Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2026/04/CVE-2026-26927"}, {"tags": ["product"], "url": "https://www.elektronicznypodpis.pl/"}], "source": {"discovery": "EXTERNAL"}, "title": "URL (HTTP Origin) call location spoofing in Szafir SDK Web", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:19:08.706495Z", "id": "CVE-2026-26927", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:19:19.180Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26927", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T14:19:08.706495Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:19:13.159Z"}}], "cna": {"title": "URL (HTTP Origin) call location spoofing in Szafir SDK Web", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Micha\u0142 Leszczy\u0144ski"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Krajowa Izba Rozliczeniowa", "product": "Szafir SDK Web", "versions": [{"status": "affected", "version": "0", "lessThan": "0.0.17.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cert.pl/posts/2026/04/CVE-2026-26927", "tags": ["third-party-advisory"]}, {"url": "https://www.elektronicznypodpis.pl/", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched.\nIn Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via\u00a0Szafir SDK Web browser addon.\u00a0No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown\u00a0in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the \"remember\" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker\u00a0without any interaction.\n\nThis issue was fixed in version 0.0.17.4.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Szafir SDK Web</span> is a browser plug-in that can run SzafirHost application which download the necessary files when launched.<br>In <span style=\"background-color: rgb(255, 255, 255);\">Szafir SDK Web</span> it is possible to change the URL (HTTP Origin) of the application call location. <span style=\"background-color: rgb(255, 255, 255);\">An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">Szafir SDK Web</span> browser addon.</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download <span style=\"background-color: rgb(255, 255, 255);\">additional files and libraries from that website</span>.</span> When victim accepts the application execution for the URL showed in the confirmation prompt with the \"remember\" option <span style=\"background-color: rgb(255, 255, 255);\">before</span>, the prompt won't be shown and the application will be called in the context of URL provided by the attacker&nbsp;without any interaction.<br><br>This issue was fixed in version 0.0.17.4.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-348", "description": "CWE-348 Use of Less Trusted Source"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-02T14:01:39.075Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26927", "state": "PUBLISHED", "dateUpdated": "2026-04-02T14:19:19.180Z", "dateReserved": "2026-02-16T09:01:03.142Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-04-02T14:01:39.075Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched.\nIn Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via\u00a0Szafir SDK Web browser addon.\u00a0No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown\u00a0in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the \"remember\" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker\u00a0without any interaction.\n\nThis issue was fixed in version 0.0.17.4."}], "id": "CVE-2026-26927", "lastModified": "2026-04-02T14:16:25.873", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2026-04-02T14:16:25.873", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/posts/2026/04/CVE-2026-26927"}, {"source": "cvd@cert.pl", "url": "https://www.elektronicznypodpis.pl/"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-348"}], "source": "cvd@cert.pl", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.0.17.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Szafir SDK Web", "source": "cna", "vendor": "Krajowa Izba Rozliczeniowa"}, "product": "szafir_sdk_web", "vendor": "krajowa_izba_rozliczeniowa"}], "analysis": {"en": {"generated_at": "2026-04-02T16:26:58.286700+00:00", "value": {"mitigation_remediation": ["Upgrade Szafir SDK Web to version\u202f0.0.17.4 or newer", "If an upgrade is not feasible, disable or uninstall the Szafir SDK Web plug\u2011in", "Avoid selecting the \u201cremember\u201d option or clear remembered settings to prevent silent execution", "Verify that any confirmation prompt for SzafirHost reflects the actual site and monitor for unexpected prompts"], "summary": {"action": "Apply patch", "impact": "Untrusted download via Szafir SDK Web plug\u2011in"}, "threat_synthesis": {"affected_systems": "The flaw affects the Szafir SDK Web plug\u2011in distributed by Krajowa Izba Rozliczeniowa. All releases prior to version\u202f0.0.17.4 are vulnerable. The issue was resolved in 0.0.17.4; applying that upgrade removes the vulnerability.", "description_and_impact": "This vulnerability, identified as a CWE\u2011348 weakness, allows an unauthenticated attacker to alter the HTTP Origin used by the Szafir SDK Web plug\u2011in when launching the SzafirHost application. Because the plug\u2011in performs no validation on the document_base_url parameter, the attacker can redirect the application call to any address, which is then shown in the user confirmation prompt. If the victim confirms or selects \u201cremember\u201d, the application runs with the attacker\u2011supplied arguments and may download additional files or libraries from the attacker\u2019s site, potentially leading to execution of malicious code.", "risk_and_exploitability": "The CVSS score of 5.1 indicates medium severity. No EPSS score is available and the flaw is not listed in the CISA KEV catalog, suggesting limited exposure in the wild. The likely attack vector involves a malicious web page that triggers the plug\u2011in to launch SzafirHost with forged parameters; once the user accepts the confirmation prompt, the attacker\u2019s site controls the application context and can download arbitrary content. Selecting the \u201cremember\u201d option elevates the risk by bypassing future prompts and enabling silent execution."}}}}, "created": "2026-04-02T20:12:24.912137+00:00", "updated": "2026-04-02T20:21:05.522676+00:00", "vendors": ["krajowa_izba_rozliczeniowa", "krajowa_izba_rozliczeniowa$PRODUCT$szafir_sdk_web"]}