AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T10:16:24.193Z and has not been modified since then. R-SOFT DMS is vulnerable to OS Command Injection in the Optical Character Recognition (OCR) module. Multiple command execution functions accept user-controllable file paths without proper sanitization before passing them to the system shell via [truncated]
R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash. This allows an attacker who obtains the password hash to decode superadmin credentials. Critically, this password cannot be changed except by modifying the configuration file. The issue was fixed in version v3.17-2000. This vulnerability has significant implications for the security of R-SOFT DMS systems, particularly those with [truncated]
CVE-2026-41878 is an Insecure Direct Object Reference (IDOR) vulnerability in R-SOFT DMS, allowing unauthorized access to sensitive files. The application fetches files from the database by ID and serves them to whoever requests them, relying only on session authentication. This issue was fixed in version v3.19-2862 and v3.17-2580. Users should be aware of the potential for data breaches and take immediat [truncated]
CVE-2026-41877 is a Stored XSS vulnerability in R-SOFT DMS file upload functionality. An authenticated attacker can inject arbitrary HTML and JS into file names, executed when visiting file list or upload status by other users. This issue was fixed in version v3.19-2832 and v3.17-2580. The vulnerability has a CVSS score of 5.1 and a severity of MEDIUM. Users of R-SOFT DMS, especially those with upload pri [truncated]
CVE-2026-41876 is an OS Command Injection vulnerability in R-SOFT DMS. The document converter executes shell commands using unsanitized file paths and format parameters, allowing an authenticated attacker to execute arbitrary system commands with the privileges of the web server user. This issue was fixed in version v3.19-2752 and v3.17-2580. Users should apply patches immediately and review system logs f [truncated]