CVE-2026-26927 (GCVE-0-2026-26927)

Vulnerability from cvelistv5 – Published: 2026-04-02 14:01 – Updated: 2026-04-02 14:19
VLAI?
Title
URL (HTTP Origin) call location spoofing in Szafir SDK Web
Summary
Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via Szafir SDK Web browser addon. No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the "remember" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker without any interaction. This issue was fixed in version 0.0.17.4.
Severity ?
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-348 - Use of Less Trusted Source
Assigner
References
Impacted products
Vendor Product Version
Krajowa Izba Rozliczeniowa Szafir SDK Web Affected: 0 , < 0.0.17.4 (semver)
Create a notification for this product.
Credits
Michał Leszczyński
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26927",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-02T14:19:08.706495Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T14:19:19.180Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Szafir SDK Web",
          "vendor": "Krajowa Izba Rozliczeniowa",
          "versions": [
            {
              "lessThan": "0.0.17.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Micha\u0142 Leszczy\u0144ski"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSzafir SDK Web\u003c/span\u003e is a browser plug-in that can run SzafirHost application which download the necessary files when launched.\u003cbr\u003eIn \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSzafir SDK Web\u003c/span\u003e it is possible to change the URL (HTTP Origin) of the application call location. \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSzafir SDK Web\u003c/span\u003e browser addon.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker\u0027s website URL and might download \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eadditional files and libraries from that website\u003c/span\u003e.\u003c/span\u003e When victim accepts the application execution for the URL showed in the confirmation prompt with the \"remember\" option \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ebefore\u003c/span\u003e, the prompt won\u0027t be shown and the application will be called in the context of URL provided by the attacker\u0026nbsp;without any interaction.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 0.0.17.4.\u003cbr\u003e"
            }
          ],
          "value": "Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched.\nIn Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via\u00a0Szafir SDK Web browser addon.\u00a0No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown\u00a0in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker\u0027s website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the \"remember\" option before, the prompt won\u0027t be shown and the application will be called in the context of URL provided by the attacker\u00a0without any interaction.\n\nThis issue was fixed in version 0.0.17.4."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-348",
              "description": "CWE-348 Use of Less Trusted Source",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-02T14:01:39.075Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/posts/2026/04/CVE-2026-26927"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.elektronicznypodpis.pl/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "URL (HTTP Origin) call location spoofing in Szafir SDK Web",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2026-26927",
    "datePublished": "2026-04-02T14:01:39.075Z",
    "dateReserved": "2026-02-16T09:01:03.142Z",
    "dateUpdated": "2026-04-02T14:19:19.180Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-26927",
      "date": "2026-04-16",
      "epss": "0.00036",
      "percentile": "0.10613"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-26927\",\"sourceIdentifier\":\"cvd@cert.pl\",\"published\":\"2026-04-02T14:16:25.873\",\"lastModified\":\"2026-04-03T16:10:52.680\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched.\\nIn Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via\u00a0Szafir SDK Web browser addon.\u00a0No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown\u00a0in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker\u0027s website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the \\\"remember\\\" option before, the prompt won\u0027t be shown and the application will be called in the context of URL provided by the attacker\u00a0without any interaction.\\n\\nThis issue was fixed in version 0.0.17.4.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-348\"}]}],\"references\":[{\"url\":\"https://cert.pl/posts/2026/04/CVE-2026-26927\",\"source\":\"cvd@cert.pl\"},{\"url\":\"https://www.elektronicznypodpis.pl/\",\"source\":\"cvd@cert.pl\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26927\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-02T14:19:08.706495Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-02T14:19:13.159Z\"}}], \"cna\": {\"title\": \"URL (HTTP Origin) call location spoofing in Szafir SDK Web\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Micha\\u0142 Leszczy\\u0144ski\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Krajowa Izba Rozliczeniowa\", \"product\": \"Szafir SDK Web\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.0.17.4\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://cert.pl/posts/2026/04/CVE-2026-26927\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.elektronicznypodpis.pl/\", \"tags\": [\"product\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched.\\nIn Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via\\u00a0Szafir SDK Web browser addon.\\u00a0No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown\\u00a0in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker\u0027s website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the \\\"remember\\\" option before, the prompt won\u0027t be shown and the application will be called in the context of URL provided by the attacker\\u00a0without any interaction.\\n\\nThis issue was fixed in version 0.0.17.4.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eSzafir SDK Web\u003c/span\u003e is a browser plug-in that can run SzafirHost application which download the necessary files when launched.\u003cbr\u003eIn \u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eSzafir SDK Web\u003c/span\u003e it is possible to change the URL (HTTP Origin) of the application call location. \u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eAn unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eSzafir SDK Web\u003c/span\u003e browser addon.\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker\u0027s website URL and might download \u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eadditional files and libraries from that website\u003c/span\u003e.\u003c/span\u003e When victim accepts the application execution for the URL showed in the confirmation prompt with the \\\"remember\\\" option \u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ebefore\u003c/span\u003e, the prompt won\u0027t be shown and the application will be called in the context of URL provided by the attacker\u0026nbsp;without any interaction.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 0.0.17.4.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-348\", \"description\": \"CWE-348 Use of Less Trusted Source\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2026-04-02T14:01:39.075Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-26927\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-02T14:19:19.180Z\", \"dateReserved\": \"2026-02-16T09:01:03.142Z\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"datePublished\": \"2026-04-02T14:01:39.075Z\", \"assignerShortName\": \"CERT-PL\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.