It's a pretty big one, published today. Fortunately it was found and submitted by a legitimate security researcher, and it was (as far as I know) not used in the wild. Pretty scary to think what could happen instead.

Root cause was a shared library (Szafir SDK) used by many Polish commercial and public institutions. It implemented login with Polish e-signature (qualified certificate), but the library API was so convoluted that basically nobody used it correctly (registered as CVE-2026-9058 by Polish CERT: https://cert.pl/en/posts/2026/05/CVE-2026-9058/). This allowed complete login bypass to affected institutions, most importantly ZUS (universal Social Insurance system), official online labor/employment portal, and many online court and universal healthcare systems.

Unfortunately I couldn't find anything about it in English, so you need to use your favourite translator.

Shorter and more to the point version (summary for journalists) is https://zaufanatrzeciastrona.pl/post/podsumowanie-krytyczna-...