OS Command Injection Vulnerability in R-SOFT DMS OCR Module
CVE-2026-41880

9CRITICAL

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-41880?

The Optical Character Recognition (OCR) module in R-SOFT DMS is susceptible to OS Command Injection. This vulnerability arises from multiple command execution functions that improperly handle user-controllable file paths, allowing an authenticated attacker to execute arbitrary system commands via SSH. Although the standard web upload process with URL encoding typically mitigates this issue, successful exploitation through the OCR functionality could grant elevated privileges to the attacker, leading to significant security risks. This vulnerability has been addressed in versions v3.19-2862 and v3.17-2580.

Affected Version(s)

DMS 0

DMS 0

References

CVSS V4

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marek Figielski (Vanilla.pl)
.