CVE-2026-8993

MEDIUM

Improper URL Handler Processing in D.Launcher 2 enables NTLM Credential Disclosure and SSRF attacks

Title source: cna

Description

D.Launcher 2 component of Slovak eID client ecosystem contains Improper URL Handler Processing vulnerability. Application registers multiple custom URL handlers that could be exploited to initiate full NTLM autentication or SMB connection to attacker infrastructure and to conduct SSRF (Server Side Request Forgery) attacks. User interaction is required as potential victim needs to open a specially crafted URL.

References (2)

Core 2

Core References

https://www.slovensko.sk/sk/oznamy/detail/_zranitelnost-aplikacie-d-launc

https://ditec.sk/static/kep/apps/release-notes/en

Scores

CVSS v3 6.5

EPSS 0.0022

EPSS Percentile 13.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200 CWE-74

Status published

Products (1)

Ditec a.s./D.Launcher 2 < 2.0.7

Published Jun 02, 2026

Tracked Since Jun 02, 2026