CVE-2026-44088: CWE-434 Unrestricted Upload of File with Dangerous Type in Krajowa Izba Rozliczeniowa SzafirHost
SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded. This issue was fixed in version 1.2.1.
AI Analysis
Technical Summary
SzafirHost performs signature verification of JAR files using JarInputStream, which reads from the start of the file, but loads classes using JarFile/URLClassLoader, which reads the Central Directory at the end of the file. This inconsistency can be exploited by combining a legitimate signed JAR with a malicious ZIP structure, allowing the malicious classes to be loaded despite passing signature verification. This leads to a remote code execution vulnerability classified under CWE-434. The vulnerability has been addressed in version 1.2.1 of SzafirHost.
Potential Impact
Successful exploitation can result in remote code execution on systems running vulnerable versions of SzafirHost. This allows attackers to execute arbitrary code with the privileges of the application, posing a significant security risk. No known exploits are currently reported in the wild.
Mitigation Recommendations
This vulnerability has been fixed in SzafirHost version 1.2.1. Users should upgrade to this version or later to remediate the issue. Since the vendor advisory confirms the fix, no additional mitigation steps are required beyond applying the official update.
CVE-2026-44088: CWE-434 Unrestricted Upload of File with Dangerous Type in Krajowa Izba Rozliczeniowa SzafirHost
Description
SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded. This issue was fixed in version 1.2.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SzafirHost performs signature verification of JAR files using JarInputStream, which reads from the start of the file, but loads classes using JarFile/URLClassLoader, which reads the Central Directory at the end of the file. This inconsistency can be exploited by combining a legitimate signed JAR with a malicious ZIP structure, allowing the malicious classes to be loaded despite passing signature verification. This leads to a remote code execution vulnerability classified under CWE-434. The vulnerability has been addressed in version 1.2.1 of SzafirHost.
Potential Impact
Successful exploitation can result in remote code execution on systems running vulnerable versions of SzafirHost. This allows attackers to execute arbitrary code with the privileges of the application, posing a significant security risk. No known exploits are currently reported in the wild.
Mitigation Recommendations
This vulnerability has been fixed in SzafirHost version 1.2.1. Users should upgrade to this version or later to remediate the issue. Since the vendor advisory confirms the fix, no additional mitigation steps are required beyond applying the official update.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2026-05-05T09:40:05.100Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a06de9aec166c07b0e66a06
Added to database: 5/15/2026, 8:51:38 AM
Last enriched: 5/15/2026, 9:09:54 AM
Last updated: 5/16/2026, 6:01:29 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.