CVE-2026-44088
Remote Code Execution in SzafirHost
SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded.
This issue was fixed in version 1.2.1.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
Produtos afetados
Krajowa Izba Rozliczeniowa · SzafirHostQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →