CVE-2026-44088

Deferred Deferred - Pending Action

BaseFortify

Publication date: 2026-05-15

Last updated on: 2026-05-19

Assigner: CERT.PL

Description

SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded. This issue was fixed in version 1.2.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-15

Last Modified

2026-05-19

Generated

2026-05-20

EPSS Evaluated

2026-05-19

NVD

CVE-2026-44088

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-434	The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2026-44088

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

Ask Our AI Assistant

EPSS Chart