CVE-2026-26927
Received Received - Intake
Unauthorized URL Manipulation in Szafir SDK Web Enables Arbitrary Execution

Publication date: 2026-04-02

Last updated on: 2026-04-02

Assigner: CERT.PL

Description
Szafir SDK Web is a browser plug-in that can run SzafirHost application which download the necessary files when launched. In Szafir SDK Web it is possible to change the URL (HTTP Origin) of the application call location. An unauthenticated attacker can craft a website that is able to launch SzafirHost application with arbitrary arguments via Szafir SDK Web browser addon. No validation will be performed to check whether the address specified in `document_base_url` parameter is in any way related to the actual address of the calling web application. The URL address specified in `document_base_url` parameter is then shown in the application confirmation prompt. When a victim confirms the execution of the application, it will be called in the context of attacker's website URL and might download additional files and libraries from that website. When victim accepts the application execution for the URL showed in the confirmation prompt with the "remember" option before, the prompt won't be shown and the application will be called in the context of URL provided by the attacker without any interaction. This issue was fixed in version 0.0.17.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26927
EUVD
EUVD-2026-18228
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
szafir szafir_sdk_web 0.0.17.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-348 The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Szafir SDK Web browser plug-in, which can run the SzafirHost application. An unauthenticated attacker can exploit the ability to change the URL (HTTP Origin) of the application call location by crafting a malicious website. This website can launch the SzafirHost application with arbitrary arguments via the browser add-on without validating whether the specified URL in the 'document_base_url' parameter is related to the calling web application's actual address.

When the victim confirms the execution prompt showing the attacker's URL, the application runs in the context of the attacker's website and may download additional files and libraries from that malicious source. If the victim previously selected the 'remember' option on the prompt, future executions will occur without any user interaction, allowing the attacker to run the application silently.

Impact Analysis

This vulnerability can lead to unauthorized execution of the SzafirHost application with attacker-controlled parameters and sources. It allows an attacker to trick users into running the application in the context of a malicious website, potentially causing the application to download and execute harmful files or libraries.

If the user previously allowed the application to run without prompts, the attacker can exploit this to execute malicious code silently, increasing the risk of compromise, data theft, or further exploitation on the victim's system.

Mitigation Strategies

The vulnerability in Szafir SDK Web was fixed in version 0.0.17.4. Immediate mitigation steps include updating the Szafir SDK Web browser plug-in to version 0.0.17.4 or later.

Additionally, users should be cautious when confirming application execution prompts, especially if the URL shown in the confirmation prompt is unfamiliar or suspicious.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26927. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart