Security Vulnerability in Szafir SDK Web by Elektroniczny Podpis
CVE-2026-26927

5.1MEDIUM

Key Information:

Vendor: Krajowa Izba Rozliczeniowa
Status: Szafir Sdk Web
Vendor: CVE Published:; 2 April 2026

🔔 Create Krajowa Izba Rozliczeniowa Vulnerability Alert

What is CVE-2026-26927?

The Szafir SDK Web browser plug-in poses a significant vulnerability where an unauthenticated attacker can manipulate the URL used to launch the SzafirHost application. This is achieved by crafting a malicious website that uses the Szafir SDK Web to launch the application with arbitrary arguments. Notably, the application does not validate the document_base_url parameter, allowing attackers to display the confirmation prompt with a misleading URL. When users approve this action, the application executes within the context of the attacker’s website, enabling the download of harmful files and libraries without proper user interaction if the 'remember' option is selected. Users are encouraged to update to version 0.0.17.4 or later to mitigate this risk.

Affected Version(s)

Szafir SDK Web 0 < 0.0.17.4

References

https://cert.pl/posts/2026/04/CVE-2026-26927

third-party-advisory

https://www.elektronicznypodpis.pl/

product

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Feb 16, 2026

Credit

Michał Leszczyński

CVE-2026-26927 Data

JSON