OS Command Injection Vulnerability in R-SOFT DMS Document Converter
CVE-2026-41876

8.7HIGH

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-41876?

R-SOFT DMS is prone to an OS command injection vulnerability within the konwertujAction() function. The flaw arises from the document converter's execution of shell commands using unsanitized file paths and format parameters. This security lapse permits an authenticated attacker to execute arbitrary system commands with the same privileges as the web server user, potentially leading to unauthorized access or system compromise. Users should upgrade to versions v3.19-2752 or v3.17-2580 to mitigate this risk.

Affected Version(s)

DMS 0

DMS 0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marek Figielski (Vanilla.pl)
.