Stored XSS Vulnerability in R-SOFT DMS File Upload Functionality
CVE-2026-41877

5.1MEDIUM

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-41877?

R-SOFT DMS is susceptible to a Stored Cross-Site Scripting vulnerability in its file upload feature. This flaw allows an authenticated attacker to inject malicious HTML and JavaScript code into the filename during the upload process. The injected content is executed when other users access the file list or upload status, potentially compromising their security. The issue is mitigated in versions later than v3.19-2832 and v3.17-2580.

Affected Version(s)

DMS 0

DMS 0

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marek Figielski (Vanilla.pl)
.