A critical vulnerability in Szafir SDK causes cryptographic digital signature verification to return a success status code even when the signer's certificate trust status cannot be established. The SDK reports 'Positively verified' (Result/@code == 0) despite the certificate type being 'nondetermined', indicating an unverified certificate chain. This logic error allows consuming applications to incorrectl [truncated]
HIGHKrajowa Izba RozliczeniowaCVE published 2026-05-15
CVE-2026-44088 describes a signature verification bypass in SzafirHost, a Polish electronic signature software. The vulnerability stems from a mismatch between how the application verifies JAR file signatures versus how it loads classes. SzafirHost uses `JarInputStream` to verify signatures, which reads from the beginning of the file, but uses `JarFile`/`URLClassLoader` to load classes, which reads the Ce [truncated]
