CVE-2026-9058
Severity CVSS v4.0:
CRITICAL
Type:
Unavailable / Other
Publication date:
25/05/2026
Last modified:
26/05/2026
Description
Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer&#39;s certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation.<br />
<br />
This issue was fixed in version 463.
Impact
Base Score 4.0
9.30
Severity 4.0
CRITICAL



