Remote Code Execution Vulnerability in SzafirHost by Elektroniczny Podpis
CVE-2026-44088

8.6HIGH

Key Information:

Vendor: Krajowa Izba Rozliczeniowa
Status: Szafirhost
Vendor: CVE Published:; 15 May 2026

🔔 Create Krajowa Izba Rozliczeniowa Vulnerability Alert

What is CVE-2026-44088?

The SzafirHost application encounters a vulnerability where it improperly verifies JAR file signatures during class loading. Specifically, while it uses JarInputStream to check the signature from the beginning of the file, it employs JarFile/URLClassLoader to load classes from the Central Directory located at the end of the file. This discrepancy allows an attacker to exploit the system by crafting a legitimate signed JAR file combined with a malicious ZIP file, thus bypassing verification while loading harmful code. The flaw was addressed in the release of version 1.2.1.

Affected Version(s)

SzafirHost 0 < 1.2.1

References

https://cert.pl/posts/2026/05/CVE-2026-44088

third-party-advisory

https://www.elektronicznypodpis.pl/

product

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 5, 2026

Credit

Mariusz Maik

CVE-2026-44088 Data

JSON