ctipilot.ch

Disig Web Signer 2.0.3-2.5.3 — unauthenticated RCE in Slovak eIDAS qualified-signature client (CVSS 4.0 9.4, SK-CERT); fixed 2.5.5

cve · CVE-2026-8931

Coverage timeline
1
first 2026-06-02 → last 2026-06-02
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
0
no mapped behavior yet

Hunting pivots

Story timeline

  1. 2026-06-02CVE-2026-8931 — Disig Web Signer: critical RCE in a Slovak electronic-signature client
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • disig.sk1 (50%)
  • euvd.enisa.europa.eu1 (50%)

explore in graph

Entries about Disig Web Signer 2.0.3-2.5.3 — unauthenticated RCE in Slovak eIDAS qualified-signature client (CVSS 4.0 9.4, SK-CERT); fixed 2.5.5 (1)

2026-06-02 · view entry permalink →

CVE-2026-8931 — Disig Web Signer: critical RCE in a Slovak electronic-signature client

ENISA's EU Vulnerability Database, on an entry assigned by SK-CERT, records CVE-2026-8931 as a critical remote-code-execution vulnerability in Disig Web Signer 2.0.3–2.5.3 with a CVSS 4.0 base score of 9.4 (ENISA EUVD EUVD-2026-33648, 2026-06-01 · Disig vendor advisory). Web Signer is the client-side electronic-signature application published by the Slovak trust-service vendor Disig. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates network exploitability requiring only that a user trigger the signing workflow — e.g. via a malicious document or page — with high impact on subsequent systems (SC:H/SI:H/SA:H), reflecting the client's integration into the applications that invoke it. Disig's advisory directs users to update; the fixed release is Web Signer 2.5.5. No in-the-wild exploitation was reported at disclosure.

vulnerability02 Jun 05:00Zmulti-sourceOpen finding ↗