{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-13165", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-06-24T13:07:31.310Z", "datePublished": "2026-06-29T12:16:55.559Z", "dateUpdated": "2026-06-29T13:58:14.780Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SzafirHost", "vendor": "Krajowa Izba Rozliczeniowa", "versions": [{"lessThan": "1.2.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Mariusz Maik"}], "datePublic": "2026-06-29T12:15:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SzafirHost <span style=\"background-color: rgb(255, 255, 255);\">verifies the downloaded native library archive with one <span style=\"background-color: rgb(255, 255, 255);\">JarFile</span> parser (reading the Central Directory) but extracts native libraries with <span style=\"background-color: rgb(255, 255, 255);\">JarInputStream parser</span> (reading sequentially from local file headers).&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This&nbsp;</span>can lead to remote code execution.</p>This issue was fixed in version 1.2.2.<br>"}], "value": "SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers).\u00a0An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This\u00a0can lead to remote code execution.\n\nThis issue was fixed in version 1.2.2."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.6, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-06-29T12:16:55.559Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2026/06/CVE-2026-13165"}, {"tags": ["product"], "url": "https://www.elektronicznypodpis.pl/"}], "source": {"discovery": "EXTERNAL"}, "title": "Remote Code Execution in SzafirHost", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-29T13:58:08.681080Z", "id": "CVE-2026-13165", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-29T13:58:14.780Z"}}]}}

{}

{}

{}

{"created": "2026-06-29T14:30:18.568072+00:00", "updated": "2026-06-29T14:30:18.568078+00:00", "vendors": []}