{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0809", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-01-09T14:56:38.137Z", "datePublished": "2026-03-12T13:02:24.795Z", "dateUpdated": "2026-03-12T14:04:53.073Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Streamsoft Presti\u017c", "vendor": "Streamsoft", "versions": [{"lessThan": "20.0.380.92", "status": "affected", "version": "12.2.363.17", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kamil D\u0105bkowski"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Use of a custom token encoding algorithm in Streamsoft Presti\u017c software allows&nbsp;the value of the KSeF (Krajowy System e-Faktur)&nbsp;token to be guessed&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">after analyzing how tokens with know values are encoded</span>.<br><br>This issue was fixed in version 20.0.380.92."}], "value": "Use of a custom token encoding algorithm in Streamsoft Presti\u017c software allows\u00a0the value of the KSeF (Krajowy System e-Faktur)\u00a0token to be guessed\u00a0after analyzing how tokens with know values are encoded.\n\nThis issue was fixed in version 20.0.380.92."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6.3, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-261", "description": "CWE-261 Weak Encoding for Password", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-03-12T13:02:24.795Z"}, "references": [{"tags": ["product"], "url": "https://www.streamsoft.pl/streamsoft-prestiz/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2026/03/CVE-2026-0809"}], "source": {"discovery": "EXTERNAL"}, "title": "Weak KSeF token encoding in Streamsoft Presti\u017c", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:04:19.633953Z", "id": "CVE-2026-0809", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:04:53.073Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0809", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T14:04:19.633953Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:04:22.959Z"}}], "cna": {"title": "Weak KSeF token encoding in Streamsoft Presti\u017c", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Kamil D\u0105bkowski"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Streamsoft", "product": "Streamsoft Presti\u017c", "versions": [{"status": "affected", "version": "12.2.363.17", "lessThan": "20.0.380.92", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.streamsoft.pl/streamsoft-prestiz/", "tags": ["product"]}, {"url": "https://cert.pl/posts/2026/03/CVE-2026-0809", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Use of a custom token encoding algorithm in Streamsoft Presti\u017c software allows\u00a0the value of the KSeF (Krajowy System e-Faktur)\u00a0token to be guessed\u00a0after analyzing how tokens with know values are encoded.\n\nThis issue was fixed in version 20.0.380.92.", "supportingMedia": [{"type": "text/html", "value": "Use of a custom token encoding algorithm in Streamsoft Presti\u017c software allows&nbsp;the value of the KSeF (Krajowy System e-Faktur)&nbsp;token to be guessed&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">after analyzing how tokens with know values are encoded</span>.<br><br>This issue was fixed in version 20.0.380.92.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-261", "description": "CWE-261 Weak Encoding for Password"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-03-12T13:02:24.795Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0809", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:04:53.073Z", "dateReserved": "2026-01-09T14:56:38.137Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-03-12T13:02:24.795Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use of a custom token encoding algorithm in Streamsoft Presti\u017c software allows\u00a0the value of the KSeF (Krajowy System e-Faktur)\u00a0token to be guessed\u00a0after analyzing how tokens with know values are encoded.\n\nThis issue was fixed in version 20.0.380.92."}, {"lang": "es", "value": "El uso de un algoritmo de codificaci\u00f3n de tokens personalizado en el software Streamsoft Presti? permite adivinar el valor del token KSeF (Krajowy System e-Faktur) despu\u00e9s de analizar c\u00f3mo se codifican los tokens con valores conocidos.\n\nEste problema se solucion\u00f3 en la versi\u00f3n 20.0.380.92."}], "id": "CVE-2026-0809", "lastModified": "2026-04-27T19:22:08.623", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2026-03-12T13:16:00.723", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/posts/2026/03/CVE-2026-0809"}, {"source": "cvd@cert.pl", "url": "https://www.streamsoft.pl/streamsoft-prestiz/"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-261"}], "source": "cvd@cert.pl", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[12.2.363.17,20.0.380.92)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Streamsoft Presti\u017c", "source": "cna", "vendor": "Streamsoft"}, "product": "streamsoft_presti\u017c", "vendor": "streamsoft"}], "analysis": {"en": {"generated_at": "2026-03-18T14:44:32.648198+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011issued patch to upgrade Streamsoft Presti\u017c to version 20.0.380.92 or later.", "If the patch cannot be applied immediately, consider disabling or restricting use of KSeF token authentication until a secure implementation is available.", "Monitor application logs for anomalous or repeated token usage that may indicate token forgery.", "Maintain current system backups and enable intrusion detection to detect unauthorized use of forged tokens."], "summary": {"action": "Patch", "impact": "Authentication Bypass / Token Forgery"}, "threat_synthesis": {"affected_systems": "The affected product is Streamsoft Presti\u017c. The vendor has indicated that the issue was corrected in release 20.0.380.92. The specific versions prior to this patch are not enumerated in the advisory, so any installation leveraging the older custom encoding algorithm is presumed vulnerable. Administrators should verify the product version and apply the noted patch when possible.", "description_and_impact": "The vulnerability arises from Streamsoft Presti\u017c\u2019s use of a custom, non\u2011standard encoding algorithm for the KSeF (Krajowy System e\u2011Faktur) token. Because the encoding can be reverse\u2011engineered by observing tokens with known values, an attacker can predict or forge valid tokens. This effectively creates an authentication bypass that permits unauthorized access to the KSeF system. The weakness is categorized as CWE\u2011261, which involves improper storage or handling of secrets.", "risk_and_exploitability": "The CVSS score of 6.3 signals moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely occur remotely, by collecting legitimate tokens and using the predictable encoding to generate valid authentication tokens. The requirement for initial token observation limits the attack surface, but once a token is spoofed, the attacker gains full access through that token."}}}}, "created": "2026-03-13T09:53:11.094615+00:00", "updated": "2026-03-20T15:49:48.082655+00:00", "vendors": ["streamsoft", "streamsoft$PRODUCT$streamsoft_presti\u017c"]}