Back to overview

CVE-2026-41878

HIGH
7.1
CVSS 4.0
Description
R-SOFT DMS is vulnerable to Insecure Direct Object Reference (IDOR) attack in multiple file download endpoints. The application fetches files from the database by ID and serves them to whoever requests them, relying only on session authentication, meaning any valid user can access any file. This issue was fixed in version v3.19-2862 and v3.17-2580.

Metadata

CVE ID
CVE-2026-41878
State
PUBLISHED
Assigner
CERT-PL
Reserved
2026-04-22 11:32 UTC
Published
2026-07-10 09:05 UTC
Last updated
2026-07-10 10:23 UTC
Primary CWE
CWE-639
CWE-639 Authorization Bypass Through User-Controlled Key
Vendor / Product
R-SOFT SERWIS / DMS
Sources
cve.org  ·  NVD

Severity & Metrics

7.1 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
R-SOFT SERWIS DMS 0 < v3.19-2862, 0 < v3.17-2580
Weakness (CWE)
CWESourceDescription
CWE-639 cna CWE-639 Authorization Bypass Through User-Controlled Key
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.1 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Back to overview