CVE-2026-0809

Use of a custom token encoding algorithm in Streamsoft Prestiż software allows the value of the KSeF (Krajowy System e-Faktur) token to be guessed after analyzing how tokens with know values are encoded. This issue was fixed in version 20.0.380.92.

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/posts/2026/03/CVE-2026-0809
https://www.streamsoft.pl/streamsoft-prestiz/

Configurations

No configuration.

History

27 Apr 2026, 19:22

Type	Values Removed	Values Added
Summary		(es) El uso de un algoritmo de codificación de tokens personalizado en el software Streamsoft Presti? permite adivinar el valor del token KSeF (Krajowy System e-Faktur) después de analizar cómo se codifican los tokens con valores conocidos. Este problema se solucionó en la versión 20.0.380.92.

12 Mar 2026, 13:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-12 13:16

Updated : 2026-04-27 19:22

NVD link : CVE-2026-0809

Mitre link : CVE-2026-0809

CVE.ORG link : CVE-2026-0809

JSON object : View

Products Affected

No product.

CWE

CWE-261

Weak Encoding for Password

{"id": "CVE-2026-0809", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-12T13:16:00.723", "references": [{"url": "https://cert.pl/posts/2026/03/CVE-2026-0809", "source": "cvd@cert.pl"}, {"url": "https://www.streamsoft.pl/streamsoft-prestiz/", "source": "cvd@cert.pl"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-261"}]}], "descriptions": [{"lang": "en", "value": "Use of a custom token encoding algorithm in Streamsoft Presti\u017c software allows\u00a0the value of the KSeF (Krajowy System e-Faktur)\u00a0token to be guessed\u00a0after analyzing how tokens with know values are encoded.\n\nThis issue was fixed in version 20.0.380.92."}, {"lang": "es", "value": "El uso de un algoritmo de codificaci\u00f3n de tokens personalizado en el software Streamsoft Presti? permite adivinar el valor del token KSeF (Krajowy System e-Faktur) despu\u00e9s de analizar c\u00f3mo se codifican los tokens con valores conocidos.\n\nEste problema se solucion\u00f3 en la versi\u00f3n 20.0.380.92."}], "lastModified": "2026-04-27T19:22:08.623", "sourceIdentifier": "cvd@cert.pl"}