Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A critical Remote Code Execution (RCE) vulnerability exists in Disig Web Signer versions 2.0.3 through 2.5.3.
AnalysisAI
Remote code execution in Disig Web Signer versions 2.0.3 through 2.5.3 allows network-adjacent attackers to execute arbitrary code on systems running this Slovak electronic signing client when a user performs a passive interaction (e.g., visiting a malicious page or processing a crafted signing request). The flaw was reported by Slovakia's National Security Authority (incident@nbu.gov.sk) and carries a CVSS 4.0 score of 9.4 (Critical) with both vulnerable and subsequent system impact rated High, indicating a likely scope-changing condition. There is no public exploit identified at time of analysis and the vulnerability is not currently listed in the CISA KEV catalog.
Technical ContextAI
Disig Web Signer is a browser-integrated client application produced by Disig a.s. that is widely used in Slovakia to create qualified electronic signatures (QES) for government services such as those exposed by the qesportal.sk portal. Such signing clients typically operate as a locally installed component that communicates with browsers over local sockets or native messaging hosts and processes signing requests originating from web pages. The CWE is not assigned, but the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:P combined with subsequent-system impact (SC:H/SI:H/SA:H) is consistent with a client-side parsing or message-handling bug that allows a malicious web origin to drive the locally installed signer into executing attacker-controlled code in the user's security context.
RemediationAI
Upgrade Disig Web Signer to version 2.5.5 or later, which is the build referenced by the vendor's QES portal notice (qesportal.sk/Portal/en/Info/News#websigner255) and the change history at download.disigcdn.sk/cdn/products/websigner2/changelog.en.txt; this is the patched release line that supersedes the vulnerable 2.0.3-2.5.3 range. Follow the vendor instructions at https://www.disig.sk/en/news/important-update-of-the-web-signer-application/ for installer download and rollout. Until all endpoints are updated, compensating controls include uninstalling Web Signer from machines that do not actively need QES, blocking the application's browser integration (native messaging host or local listening port) via endpoint policy so untrusted web origins cannot reach it, and restricting browsing on signer-equipped hosts to the trusted qesportal.sk and bank/government signing origins; the trade-off is that any of these controls will break legitimate electronic signing workflows for affected users until the upgrade is completed.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33648
GHSA-vcv9-hx6w-934w