SzafirHost RCE Lets Forged Native Libraries Bypass Signature Checks
CERT Polska disclosed CVE-2026-13165, a high-severity remote code execution flaw in Krajowa Izba Rozliczeniowa's SzafirHost software that affects all versions before 1.2.2. The vulnerability arises from inconsistent parsing of a downloaded signed native library archive: signature verification uses JarFile to read the ZIP Central Directory, while extraction uses JarInputStream to process local file headers sequentially.
An attacker able to control the served archive can add a malicious DLL, SO, or DYLIB entry that does not appear in the Central Directory, allowing the archive to pass signature validation while the rogue library is still written to disk and potentially executed from the native temporary directory. The issue is tracked as CVE-2026-13165, carries a CVSS 4.0 score of 8.6, and was fixed in SzafirHost 1.2.2 after coordinated disclosure by CERT Polska; Mariusz Maik was credited with reporting the flaw.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE feed lists CVE-2026-13165 as high severity
On 2026-06-29, a CVE feed entry described CVE-2026-13165 as a high-severity SzafirHost remote code execution flaw with a CVSS 4.0 base score of 8.6, citing CERT-PL as the source.
CERT Polska publishes advisory for CVE-2026-13165
On 2026-06-01, CERT Polska published an advisory describing CVE-2026-13165, a remote code execution vulnerability in SzafirHost caused by inconsistent parsing between JarFile verification and JarInputStream extraction.
SzafirHost 1.2.2 fixes CVE-2026-13165
Krajowa Izba Rozliczeniowa fixed the remote code execution vulnerability CVE-2026-13165 in SzafirHost version 1.2.2. The flaw affected all versions before 1.2.2 and involved inconsistent parsing of signed native library archives.
Researcher reports SzafirHost archive parsing vulnerability
CERT Polska said it coordinated disclosure after receiving a responsible report from Mariusz Maik about a remote code execution flaw in Krajowa Izba Rozliczeniowa's SzafirHost software.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical 7-Zip NTFS Handler Flaw Enables Code Execution via Crafted Archives
Researchers disclosed **CVE-2026-48095**, a critical heap buffer overflow in 7-Zip affecting version `26.00` and earlier that can lead to application crashes, denial of service, or arbitrary code execution. The bug, reported by Jaroslav Lobačevski of GitHub Security Lab and tracked in advisory `GHSL-2026-140`, resides in the NTFS archive handler’s `CInStream::GetCuSize()` logic, where an under-allocation can shrink a buffer to 1 byte before a later operation writes up to 256 MB of attacker-controlled data into it. The resulting heap corruption can overwrite adjacent objects, including a stream object’s **vtable** pointer, creating a path to code execution. The vulnerability can be triggered simply by opening a specially crafted file because 7-Zip uses signature-based fallback detection and may route files disguised as `.7z`, `.zip`, or `.rar` into the vulnerable NTFS parser regardless of extension. Reports say both 32-bit and 64-bit builds are affected, with 64-bit systems that have sufficient memory more likely to reach reliable code execution, while lower-memory systems may instead crash. Public disclosure included technical details and a Python proof-of-concept generator, raising the risk of weaponization; the issue carries a **CVSS 3.1 score of 8.8**, and users are being urged to update 7-Zip and avoid opening untrusted archives.
Jun 29, 2026
Logseq Flaws Enable XSS-to-RCE and Arbitrary File Access
CERT Polska disclosed four vulnerabilities in **Logseq** affecting releases through `0.10.15`, including an **OS command injection** flaw, an exposed dangerous function that permits arbitrary file operations, a **stored XSS** issue in plugin metadata, and a **sandbox escape** that can lead to privileged JavaScript execution. The vulnerabilities were reported by Bartłomiej Dmitruk of striga.ai and published after coordinated disclosure. The issues can be chained so that an attacker who gains JavaScript execution in the renderer—through stored XSS or a malicious plugin—can escalate to **arbitrary shell command execution** or unauthorized access to files on the host system. CERT Polska said `v0.10.15` was tested and confirmed vulnerable for one issue, while the status of other versions remained unclear because the vendor had not yet addressed the problems.
Jun 29, 2026
jsrsasign Flaws Enable DSA Signature Forgery and Private Key Recovery
Three high-severity vulnerabilities have been disclosed in the JavaScript cryptography library **jsrsasign**, all affecting versions before `11.1.1` and exposing DSA implementations to signature forgery and private key compromise. `CVE-2026-4600` stems from improper verification in DSA domain-parameter validation within `KJUR.crypto.DSA.setPublic` and related DSA/X.509 verification code, allowing attackers to supply malicious parameters such as `g=1` and `y=1` so forged DSA signatures or X.509 certificates are accepted as valid. The issue is classified as `CWE-347` and carries high confidentiality and integrity impact. Two additional flaws can expose DSA private keys during signing. `CVE-2026-4601` affects `KJUR.crypto.DSA.signWithMessageHash`, where the library can emit invalid signatures when `r` or `s` becomes zero instead of retrying, creating a path to recover the private key. `CVE-2026-4599` affects versions from `7.0.0` through versions before `11.1.1` and is tied to incomplete comparison logic in `getRandomBigIntegerZeroToMax` and `getRandomBigIntegerMinToMax`, which can accept out-of-range values, bias DSA nonces, and likewise enable key recovery. The disclosures were accompanied by upstream commits, pull requests, public writeups, and Snyk advisories, with all three bugs rated for high confidentiality and integrity impact and no direct availability impact.
Jun 29, 2026