PatchSiren cyber security CVE debrief
CVE-2026-41877 R-SOFT SERWIS CVE debrief
CVE-2026-41877 is a Stored XSS vulnerability in R-SOFT DMS file upload functionality. An authenticated attacker can inject arbitrary HTML and JS into file names, executed when visiting file list or upload status by other users. This issue was fixed in version v3.19-2832 and v3.17-2580. The vulnerability has a CVSS score of 5.1 and a severity of MEDIUM. Users of R-SOFT DMS, especially those with upload privileges, should be aware of this vulnerability and take steps to protect themselves.
- Vendor
- R-SOFT SERWIS
- Product
- DMS
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of R-SOFT DMS, especially those with upload privileges, should be aware of this vulnerability and take steps to protect themselves. This includes updating R-SOFT DMS to version v3.19-2832 or v3.17-2580, restricting file upload privileges to trusted users, and monitoring for suspicious file uploads and user activity.
Technical summary
The vulnerability exists in the file upload functionality of R-SOFT DMS, allowing authenticated attackers to inject arbitrary HTML and JavaScript into file names. This code is then executed when other users view the file list or upload status. The vulnerability has a CVSS score of 5.1 and a severity of MEDIUM. Users with upload privileges should be cautious, as the attack requires authentication. Evidence is limited, and defenders should verify affected scope and vendor guidance, focusing on restricting file upload privileges and monitoring for suspicious activity.
Defensive priority
Medium priority due to the requirement for authentication and the potential impact on user interactions.
Recommended defensive actions
- Update R-SOFT DMS to version v3.19-2832 or v3.17-2580
- Restrict file upload privileges to trusted users
- Monitor for suspicious file uploads and user activity
- Implement additional security controls, such as input validation and output encoding
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-10T10:16:23.847Z and last modified on 2026-07-10T11:16:33.700Z. The NVD entry is currently receiving updates. Evidence is limited, and defenders should verify the affected scope and vendor guidance. The vulnerability exists in R-SOFT DMS file upload functionality, allowing authenticated attackers to inject arbitrary HTML and JavaScript into file names.
Official resources
-
CVE-2026-41877 CVE record
CVE.org
-
CVE-2026-41877 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T10:16:23.847Z and has not been modified since then.