| CVE ID | CVE-2026-41876 |
| Publication date | 10 July 2026 |
| Vendor | R-SOFT SERWIS |
| Product | DMS |
| Vulnerable versions | All before v3.19-2752 All before v3.17-2580 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-41877 |
| Publication date | 10 July 2026 |
| Vendor | R-SOFT SERWIS |
| Product | DMS |
| Vulnerable versions | All before v3.19-2832 All before v3.17-2580 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-41878 |
| Publication date | 10 July 2026 |
| Vendor | R-SOFT SERWIS |
| Product | DMS |
| Vulnerable versions | All before v3.19-2862 All before v3.17-2580 |
| Vulnerability type (CWE) | Authorization Bypass Through User-Controlled Key (CWE-639) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-41879 |
| Publication date | 10 July 2026 |
| Vendor | R-SOFT SERWIS |
| Product | DMS |
| Vulnerable versions | All before v3.17-2000 |
| Vulnerability type (CWE) | Use of Weak Hash (CWE-328) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2026-41880 |
| Publication date | 10 July 2026 |
| Vendor | R-SOFT SERWIS |
| Product | DMS |
| Vulnerable versions | All before v3.19-2862 All before v3.17-2580 |
| Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in R-SOFT DMS software and participated in coordination of their disclosure.
The vulnerability CVE-2026-41876: R-SOFT DMS is vulnerable to OS Command Injection in konwertujAction() function. The document converter executes shell commands using unsanitized file paths and format parameters. This allows an authenticated attacker to execute arbitrary system commands with the privileges of the web server user.
This issue was fixed in version v3.19-2752 and v3.17-2580.
The vulnerability CVE-2026-41877: R-SOFT DMS is vulnerable to Stored XSS in file upload functionality. Authenticated attacker can inject arbitrary HTML and JS into the name of the file being uploaded, which will be executed when visiting file list or upload status by other users.
This issue was fixed in version v3.19-2832 and v3.17-2580.
The vulnerability CVE-2026-41878: R-SOFT DMS is vulnerable to Insecure Direct Object Reference (IDOR) attack in multiple file download endpoints. The application fetches files from the database by ID and serves them to whoever requests them, relying only on session authentication, meaning any valid user can access any file.
This issue was fixed in version v3.19-2862 and v3.17-2580.
The vulnerability CVE-2026-41879: R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash. This allows an attacker who obtain password hash to decode superadmin credentials. Critically, this password cannot be changed except by modifying the configuration file.
This issue was fixed in version v3.17-2000.
The vulnerability CVE-2026-41880: R-SOFT DMS is vulnerable to OS Command Injection in the Optical Character Recognition (OCR) module. Multiple command execution functions accept user-controllable file paths without proper sanitization before passing them to the system shell via SSH. In current infrastructure the URL encoding neutralizes the injection during the standard web upload flow. An authenticated attacker who is able to trigger the OCR functionality for the uploaded file can execute OS commands within the context of a root user.
This issue was fixed in version v3.19-2862 and v3.17-2580.
Credits
We thank Marek Figielski (Vanilla.pl) for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.