Skip to main content

Szafir SDK Web CVE-2026-26927

| EUVDEUVD-2026-18228 MEDIUM
Use of Less Trusted Source (CWE-348)
2026-04-02 cvd@cert.pl
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 02, 2026 - 14:22 euvd
EUVD-2026-18228
Analysis Generated
Apr 02, 2026 - 14:22 vuln.today
CVE Published
Apr 02, 2026 - 14:16 nvd
MEDIUM 5.1

DescriptionCVE.org

Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via Szafir SDK Web browser addon. No validation will be performed to check whether the address specified in document_base_url parameter is in any way related to the actual address of the calling web application. The URL address specified in document_base_url parameter is then shown in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the "remember" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker without any interaction.

This issue was fixed in version 0.0.17.4.

AnalysisAI

Szafir SDK Web browser addon allows unauthenticated attackers to launch the SzafirHost application with arbitrary arguments by crafting malicious websites that spoof the HTTP origin via the document_base_url parameter. When a victim visits an attacker's site and confirms application execution (or has previously selected 'remember' for a spoofed origin), the application runs in the attacker's context, potentially downloading malicious files and libraries without further user interaction. The vulnerability was resolved in version 0.0.17.4. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

Szafir SDK Web is a browser plugin architecture that facilitates launching the SzafirHost application with automatic file downloads. The vulnerability stems from insufficient validation of the document_base_url parameter (CWE-348: URL Matching), which allows origin spoofing. The plugin displays only the attacker-controlled URL in the user confirmation prompt without verifying that it matches the actual calling web application's origin. When a user selects 'remember' for a spoofed origin, subsequent launches bypass the confirmation dialog entirely, executing code in the attacker-specified context. This occurs because the application trust model relies on user confirmation of a single URL display rather than cryptographic verification of the calling origin against an allowlist.

Affected ProductsAI

Szafir SDK Web browser addon versions prior to 0.0.17.4 are affected. The plugin is documented on elektronicznypodpis.pl and advisory details are available at cert.pl. No CPE string has been provided in the available data, but the affected product is specifically the Szafir SDK Web addon as deployed in web browsers that support the SzafirHost integration.

RemediationAI

Update Szafir SDK Web to version 0.0.17.4 or later, which addresses the origin validation flaw. Users should verify their installed version and apply the update immediately, particularly those who have previously used the 'remember' feature for any application origins. For organizations, enforce addon updates through centralized browser management policies. Full advisory details and patch availability are documented at https://cert.pl/posts/2026/04/CVE-2026-26927 and https://www.elektronicznypodpis.pl/. No workarounds are available; patching is the only remediation.

Share

CVE-2026-26927 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy