CVE-2026-44088 — CERT-PL SzafirHost JAR zip-polyglot bypass in Poland's qualified e-signature browser helper

CERT-PL disclosed CVE-2026-44088 on 2026-05-17: a JAR zip-polyglot bypass in the SzafirHost browser-helper that mediates qualified e-signature operations for Polish public-sector users (citizen-facing e-government services). The flaw lets a crafted JAR delivered as a polyglot file bypass the qualifying-certificate check and induce the host to attach a qualified signature to attacker-chosen content. Patched 2026-05-15. Operational relevance for Swiss / EU public-sector defenders: the eIDAS qualified-electronic-signature framework is pan-European, so the class of attack — polyglot-file abuse of a browser-helper that mediates signature operations — is portable to Swiss QES vendors and to other member-state qualified-signature browser helpers. Validation: confirm patch state of every QES-helper in your endpoint estate; consider polyglot-file detection as a content-inspection control on inbound document workflows (CERT-PL CERT-PL-2026-44088; daily 2026-05-17).