Description

Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via Szafir SDK Web browser addon. No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the "remember" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker without any interaction. This issue was fixed in version 0.0.17.4.

INFO

Published Date :

2026-04-02T14:01:39.075Z

Last Modified :

2026-04-02T14:19:19.180Z

Source :

CERT-PL
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26927 vulnerability.

Vendors Products
Krajowa Izba Rozliczeniowa
  • Szafir Sdk Web
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26927.

URL Resource
https://cert.pl/posts/2026/04/CVE-2026-26927 cve-icon cve-icon
https://www.elektronicznypodpis.pl/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability