CVE-2026-9058

216.73.216.36

· Published 25/05/2026 14:16 · Modified 26/05/2026 19:59

Labels: CVE-2026-9058 2026-05-25 CVE-2026-9058 CWE-393 [email protected]

Essential information

Published: 25/05/2026 14:16
Modified: 26/05/2026 19:59
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
szafir / sdk	`cpe:2.3:a:szafir:sdk:<463:::::::*`