CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-13165

unknowncovered by 1 sourcefirst seen 2026-06-29
SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers). An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This can lead to remote code execution. This issue was fixed in version 1.2.2.

⚡ Watch CVE-2026-13165

Get an email if CVE-2026-13165 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-13165

CVE.org record

Embed the live status

CVE-2026-13165 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-13165 status](https://www.csirts.com/badge/CVE-2026-13165)](https://www.csirts.com/cve/CVE-2026-13165)