ctipilot.ch

Disig Web Signer eIDAS qualified-signature client RCE

cve · CVE-2026-8931

Coverage timeline
1
first 2026-06-02 → last 2026-06-02
Briefs
1
1 distinct
Sources cited
2
2 hosts
Sections touched
1
trending_vulns
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-06-02CTI Daily Brief — 2026-06-02
    trending_vulnsFirst coverage. CVSS 9.4 RCE in Slovak eIDAS signing client (SK-CERT); fixed 2.5.5.

Where this entity is cited

  • trending_vulns1

Source distribution

  • disig.sk1 (50%)
  • euvd.enisa.europa.eu1 (50%)

External references

NVD · cve.org · CISA KEV

All cited sources (2)

Items in briefs about Disig Web Signer eIDAS qualified-signature client RCE (1)

CVE-2026-8931 — Disig Web Signer: critical RCE in a Slovak electronic-signature client

From CTI Daily Brief — 2026-06-02 · published 2026-06-02 · view item permalink →

ENISA's EU Vulnerability Database, on an entry assigned by SK-CERT, records CVE-2026-8931 as a critical remote-code-execution vulnerability in Disig Web Signer 2.0.3–2.5.3 with a CVSS 4.0 base score of 9.4 (ENISA EUVD EUVD-2026-33648, 2026-06-01 · Disig vendor advisory). Web Signer is the client-side electronic-signature application published by the Slovak trust-service vendor Disig. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) indicates network exploitability requiring only that a user trigger the signing workflow — e.g. via a malicious document or page — with high impact on subsequent systems (SC:H/SI:H/SA:H), reflecting the client's integration into the applications that invoke it. Disig's advisory directs users to update; the fixed release is Web Signer 2.5.5. No in-the-wild exploitation was reported at disclosure.