Arbitrary file upload in Krajowa Izba Rozliczeniowa Szafirhost

CVE-2026-44088

SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lea…

Vulnerability class: Unrestricted File Upload

EPSS: 0.004 (63.6th percentile) — read the EPSS interpretation.

Affected products

Krajowa Izba Rozliczeniowa Szafirhost — versions 0

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

References

cvd@cert.pl (third-party-advisory)
cvd@cert.pl (product)