QSearchQSearch

CVE-2026-9058

Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e

Published: 2026-05-25 · Last updated: 2026-05-26

Severity and scoring

CWE
CWE-393, CWE-637

Description

Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-42246 Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby (7.4 HIGH)