Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via Szafir SDK Web browser addon. No validation will be performed to check whether the address specified in document_base_url parameter is in any way related to the actual address of the calling web application. The URL address specified in document_base_url parameter is then shown in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the "remember" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker without any interaction.
This issue was fixed in version 0.0.17.4.
AnalysisAI
Szafir SDK Web browser addon allows unauthenticated attackers to launch the SzafirHost application with arbitrary arguments by crafting malicious websites that spoof the HTTP origin via the document_base_url parameter. When a victim visits an attacker's site and confirms application execution (or has previously selected 'remember' for a spoofed origin), the application runs in the attacker's context, potentially downloading malicious files and libraries without further user interaction. The vulnerability was resolved in version 0.0.17.4. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
Szafir SDK Web is a browser plugin architecture that facilitates launching the SzafirHost application with automatic file downloads. The vulnerability stems from insufficient validation of the document_base_url parameter (CWE-348: URL Matching), which allows origin spoofing. The plugin displays only the attacker-controlled URL in the user confirmation prompt without verifying that it matches the actual calling web application's origin. When a user selects 'remember' for a spoofed origin, subsequent launches bypass the confirmation dialog entirely, executing code in the attacker-specified context. This occurs because the application trust model relies on user confirmation of a single URL display rather than cryptographic verification of the calling origin against an allowlist.
Affected ProductsAI
Szafir SDK Web browser addon versions prior to 0.0.17.4 are affected. The plugin is documented on elektronicznypodpis.pl and advisory details are available at cert.pl. No CPE string has been provided in the available data, but the affected product is specifically the Szafir SDK Web addon as deployed in web browsers that support the SzafirHost integration.
RemediationAI
Update Szafir SDK Web to version 0.0.17.4 or later, which addresses the origin validation flaw. Users should verify their installed version and apply the update immediately, particularly those who have previously used the 'remember' feature for any application origins. For organizations, enforce addon updates through centralized browser management policies. Full advisory details and patch availability are documented at https://cert.pl/posts/2026/04/CVE-2026-26927 and https://www.elektronicznypodpis.pl/. No workarounds are available; patching is the only remediation.
Same weakness CWE-348 – Use of Less Trusted Source
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18228