Back to overview

CVE-2026-41879

HIGH
8.2
CVSS 4.0
Description
R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash. This allows an attacker who obtain password hash to decode superadmin credentials. Critically, this password cannot be changed except by modifying the configuration file. This issue was fixed in version v3.17-2000.

Metadata

CVE ID
CVE-2026-41879
State
PUBLISHED
Assigner
CERT-PL
Reserved
2026-04-22 11:32 UTC
Published
2026-07-10 09:05 UTC
Last updated
2026-07-10 10:19 UTC
Primary CWE
CWE-328
CWE-328 Use of Weak Hash
Vendor / Product
R-SOFT SERWIS / DMS
Sources
cve.org  ·  NVD

Severity & Metrics

8.2 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
R-SOFT SERWIS DMS 0 < v3.17-2000
Weakness (CWE)
CWESourceDescription
CWE-328 cna CWE-328 Use of Weak Hash
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.2 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Back to overview