CVE-2026-44088

Vulnerability

Overview

CVE-2026-44088 is a high-severity vulnerability in SzafirHost, an application by Krajowa Izba Rozliczeniowa. The root cause is a mismatch between the methods used for JAR signature verification and class loading. Verification relies on JarInputStream, which reads the file from the beginning, while class loading uses JarFile/URLClassLoader, which reads the Central Directory from the end of the file. This discrepancy allows an attacker to craft a file that combines a genuine, signed JAR with a malicious ZIP archive, causing the signature check to pass but the malicious classes to be loaded [2].

Exploitation

An attacker can exploit this by providing a specially crafted file that appears to be a valid signed JAR but contains appended malicious ZIP data. The attack does not require authentication; it can be triggered when SzafirHost downloads or processes such a file. The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) [2].

Impact

Successful exploitation leads to remote code execution, allowing the attacker to execute arbitrary code on the affected system. This could result in full compromise of the host running SzafirHost, including data theft, malware installation, or further lateral movement within the network.

Mitigation

The issue has been fixed in SzafirHost version 1.2.1. Users are strongly advised to update immediately. The vulnerability was reported to CERT Polska, which coordinated the disclosure process [2].