Back to overview

CVE-2026-41876

HIGH
8.7
CVSS 4.0
Description
R-SOFT DMS is vulnerable to OS Command Injection in konwertujAction() function. The document converter executes shell commands using unsanitized file paths and format parameters. This allows an authenticated attacker to execute arbitrary system commands with the privileges of the web server user. This issue was fixed in version v3.19-2752 and v3.17-2580.

Metadata

CVE ID
CVE-2026-41876
State
PUBLISHED
Assigner
CERT-PL
Reserved
2026-04-22 11:32 UTC
Published
2026-07-10 09:05 UTC
Last updated
2026-07-10 10:57 UTC
Primary CWE
CWE-78
CWE-78 Improper Neutralization of Special Elements used in a…
Vendor / Product
R-SOFT SERWIS / DMS
Sources
cve.org  ·  NVD

Severity & Metrics

8.7 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
R-SOFT SERWIS DMS 0 < v3.19-2752, 0 < v3.17-2580
Weakness (CWE)
CWESourceDescription
CWE-78 cna CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
Back to overview