PT-2026-43045 · Unknown · Szafir Sdk

Michał Leszczyński

·

Published

2026-05-25

·

Updated

2026-05-28

·

CVE-2026-9058

CVSS v4.0

9.3

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Szafir SDK versions prior to 463
Description The software returns a success status code from the cryptographic digital signature verification process when the trust status of the signer's certificate cannot be established. Specifically, the path /VerifyingTaskItem/Signature/VerificationResult/Result/@code returns 0 (Positively verified) even if /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType is set to nondetermined. This improper certificate verification allows consuming applications to treat signatures as valid despite an unverified certificate chain, which can lead to authentication bypass and user impersonation.
Recommendations Update to version 463.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9058

Affected Products

Szafir Sdk