Skip to main content

SzafirHost CVE-2026-13165

| EUVDEUVD-2026-40078 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-29 CERT-PL GHSA-r9vj-frg8-hc25
8.6
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-delivered but requires attacker-controlled archive source and victim action, so AC:H and UI:R; unauthenticated on target (PR:N) with full host RCE giving C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jun 29, 2026 - 15:01 EUVD
Analysis Generated
Jun 29, 2026 - 14:24 vuln.today

DescriptionCVE.org

SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers). An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This can lead to remote code execution.

This issue was fixed in version 1.2.2.

AnalysisAI

Remote code execution in SzafirHost (KIR's Szafir electronic-signature host application) arises from a ZIP/JAR parser-confusion flaw: signature verification reads the archive's Central Directory while extraction reads local file headers sequentially, letting an attacker who controls the served native-library archive smuggle an unsigned malicious DLL/SO/DYLIB past the signature check. Versions prior to 1.2.2 are affected; the injected library is written to the native temp directory and loaded, yielding code execution on the victim's machine. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain control of served archive (server compromise or MITM)
Delivery
Inject malicious native lib as local-header-only entry
Exploit
Signature check reads Central Directory and accepts archive
Execution
User runs SzafirHost, extractor writes lib to temp dir
Impact
Native library loaded, arbitrary code executes

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control the served native-library archive (a compromised KIR distribution server or a man-in-the-middle position on the download channel) and to craft a ZIP/JAR with an extra local-file-header entry that is omitted from the Central Directory so it bypasses JarFile signature verification while remaining visible to the JarInputStream extractor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 base score is 8.6 (High) with vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H, indicating network-reachable, unauthenticated, low-complexity attack with high confidentiality/integrity/availability impact but requiring active user interaction (UI:A) and an attacker-controlled archive source. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or intercepts the archive distribution channel appends a malicious native library as a local-file-header entry between the last legitimate entry and the Central Directory, leaving the Central Directory (and thus the signature) untouched. When a victim runs SzafirHost and it downloads and extracts the archive, the signature verifier accepts it as validly signed while the sequential extractor writes the attacker's DLL/SO/DYLIB to the native temp directory and loads it, executing attacker code. …
Remediation Vendor-released patch: 1.2.2 - upgrade SzafirHost to version 1.2.2 or later, which corrects the parser inconsistency so signature verification and extraction operate on the same archive view. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all SzafirHost deployments and restrict network access to trusted sources only; assess if isolated operation is feasible until remediation is available. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13165 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy