Skip to main content

Disig Web Signer CVE-2026-8931

| EUVDEUVD-2026-33648 CRITICAL
Code Injection (CWE-94)
2026-06-01 incident@nbu.gov.sk GHSA-vcv9-hx6w-934w
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 15:31 vuln.today

DescriptionCVE.org

A critical Remote Code Execution (RCE) vulnerability exists in Disig Web Signer versions 2.0.3 through 2.5.3.

AnalysisAI

Remote code execution in Disig Web Signer versions 2.0.3 through 2.5.3 allows network-adjacent attackers to execute arbitrary code on systems running this Slovak electronic signing client when a user performs a passive interaction (e.g., visiting a malicious page or processing a crafted signing request). The flaw was reported by Slovakia's National Security Authority (incident@nbu.gov.sk) and carries a CVSS 4.0 score of 9.4 (Critical) with both vulnerable and subsequent system impact rated High, indicating a likely scope-changing condition. There is no public exploit identified at time of analysis and the vulnerability is not currently listed in the CISA KEV catalog.

Technical ContextAI

Disig Web Signer is a browser-integrated client application produced by Disig a.s. that is widely used in Slovakia to create qualified electronic signatures (QES) for government services such as those exposed by the qesportal.sk portal. Such signing clients typically operate as a locally installed component that communicates with browsers over local sockets or native messaging hosts and processes signing requests originating from web pages. The CWE is not assigned, but the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:P combined with subsequent-system impact (SC:H/SI:H/SA:H) is consistent with a client-side parsing or message-handling bug that allows a malicious web origin to drive the locally installed signer into executing attacker-controlled code in the user's security context.

RemediationAI

Upgrade Disig Web Signer to version 2.5.5 or later, which is the build referenced by the vendor's QES portal notice (qesportal.sk/Portal/en/Info/News#websigner255) and the change history at download.disigcdn.sk/cdn/products/websigner2/changelog.en.txt; this is the patched release line that supersedes the vulnerable 2.0.3-2.5.3 range. Follow the vendor instructions at https://www.disig.sk/en/news/important-update-of-the-web-signer-application/ for installer download and rollout. Until all endpoints are updated, compensating controls include uninstalling Web Signer from machines that do not actively need QES, blocking the application's browser integration (native messaging host or local listening port) via endpoint policy so untrusted web origins cannot reach it, and restricting browsing on signer-equipped hosts to the trusted qesportal.sk and bank/government signing origins; the trade-off is that any of these controls will break legitimate electronic signing workflows for affected users until the upgrade is completed.

Share

CVE-2026-8931 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy