[HIGH] CVE-2026-44088 — CVSS 8.6 (May 15, 2026)

A HIGH-severity vulnerability identified as CVE-2026-44088 has been published on May 15, 2026 with a CVSS base score of 8.6. This security advisory provides a detailed breakdown of the vulnerability, its potential impact, weakness classification, and actionable steps to protect your systems.

Vulnerability Details

CVE ID: CVE-2026-44088
Severity: HIGH
CVSS Score: 8.6
Published: May 15, 2026
Weakness (CWE): CWE-434

Technical Description

SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end). It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded. This issue was fixed in version 1.2.1.

Potential Impact

If exploited, this high-severity vulnerability could allow an attacker to cause significant damage to affected systems. Organizations running affected software should treat this as a priority remediation item.

Recommended Action

No official patch is available yet. Until one is released:

1. Monitor the official NVD page and vendor channels for patch announcements.
2. Restrict access to the affected system or service where possible.
3. Apply network-level mitigations such as firewall rules or WAF policies.
4. Enable logging and alerting for anomalous activity related to this vulnerability.
5. Review your incident response plan in case of active exploitation.

View full details on NVD →

References

• Reference 1
• Reference 2

Related Security Advisories

• [HIGH] CVE-2026-25705 — CVSS 8.4 (May 13, 2026) — HIGH / CVSS 8.4
• [HIGH] CVE-2026-2993 — CVSS 7.5 (May 12, 2026) — HIGH / CVSS 7.5
• [HIGH] CVE-2026-35227 — CVSS 8.2 (May 12, 2026) — HIGH / CVSS 8.2