Michał Leszczyński

#11871of 53,633
23.1Total CVSS
Vulnerabilities · 3
Medium
1
High
1
Critical
1
PT-2026-43045
9.3
2026-05-25
Unknown · Szafir Sdk · CVE-2026-9058
**Name of the Vulnerable Software and Affected Versions** Szafir SDK versions prior to 463 **Description** The software returns a success status code from the cryptographic digital signature verification process when the trust status of the signer's certificate cannot be established. Specifically, the path `/VerifyingTaskItem/Signature/VerificationResult/Result/@code` returns 0 (Positively verified) even if `/VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType` is set to `nondetermined`. This improper certificate verification allows consuming applications to treat signatures as valid despite an unverified certificate chain, which can lead to authentication bypass and user impersonation. **Recommendations** Update to version 463.
PT-2026-29741
5.1
2026-04-02
Unknown · Szafir Sdk Web · CVE-2026-26927
Name of the Vulnerable Software and Affected Versions Szafir SDK Web versions prior to 0.0.17.4 Description The Szafir SDK Web browser plug-in allows launching the SzafirHost application, which downloads necessary files upon execution. An unauthenticated attacker can manipulate the URL (HTTP Origin) of the application call location. Specifically, the `document base url` parameter lacks validation, enabling an attacker to craft a website that launches SzafirHost with arbitrary arguments. The attacker-controlled URL is displayed in an application confirmation prompt. If a victim confirms execution, the application runs within the context of the attacker's website, potentially downloading malicious files and libraries. Accepting execution with the 'remember' option bypasses the prompt, allowing silent execution within the attacker's context. Recommendations Update Szafir SDK Web to version 0.0.17.4 or later.
PT-2026-29742
8.7
2026-04-02
Unknown · Szafirhost · CVE-2026-26928
Name of the Vulnerable Software and Affected Versions SzafirHost versions prior to 1.1.0 Description The application does not verify the hash or vendor's digital signature of uploaded DLL, SO, JNILIB, or DYLIB files. This allows an attacker to provide a malicious file, which is saved in the user's /temp folder and then executed by the application. Recommendations Update to version 1.1.0 or later.