Home

Description

D.Launcher 2 component of Slovak eID client ecosystem contains Improper URL Handler Processing vulnerability. Application registers multiple custom URL handlers that could be exploited to initiate full NTLM autentication or SMB connection to attacker infrastructure and to conduct SSRF (Server Side Request Forgery) attacks. User interaction is required as potential victim needs to open a specially crafted URL.

PUBLISHED Reserved 2026-05-19 | Published 2026-06-02 | Updated 2026-06-02 | Assigner SK-CERT




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Problem types

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CWE-1395: Dependency on Vulnerable Third-Party Component

Product status

Default status
unaffected

Any version before 2.0.7
affected

Credits

Martin Orem from Binary House finder

References

www.slovensko.sk/...y/detail/_zranitelnost-aplikacie-d-launc

ditec.sk/static/kep/apps/release-notes/en

cve.org (CVE-2026-8993)

nvd.nist.gov (CVE-2026-8993)

Download JSON