Vulnerability in SzafirHost Affects Electronic Signing Solutions
CVE-2026-13165

8.6HIGH

Key Information:

Vendor: Krajowa Izba Rozliczeniowa
Status: Szafirhost
Vendor: CVE Published:; 29 June 2026

🔔 Create Krajowa Izba Rozliczeniowa Vulnerability Alert

What is CVE-2026-13165?

A flaw in SzafirHost's handling of native library archives allows attackers to exploit the download mechanism by injecting a malicious library via local-file headers. The vulnerability arises when the product verifies the integrity of an archive without recognizing entries that have been manipulated significantly. An attacker can place a malicious DLL/SO/DYLIB between legitimate entries, bypassing verification processes that rely only on the Central Directory. Subsequent extraction processes can then facilitate remote code execution, as the contaminating library is accepted without proper validation checks.

Affected Version(s)

SzafirHost 0 < 1.2.2

References

https://cert.pl/posts/2026/06/CVE-2026-13165

third-party-advisory

https://www.elektronicznypodpis.pl/

product

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 24, 2026

Credit

Mariusz Maik

CVE-2026-13165 Data

JSON