Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

R-SOFT SERWIS

Source -

CNA

BOS Name -

N/A

CNA CVEs -

5

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
5Vulnerabilities found

CVE-2026-41879
Assigner-CERT.PL
ShareView Details
Assigner-CERT.PL
CVSS Score-8.2||HIGH
EPSS-0.27% / 18.69%
||
7 Day CHG~0.00%
Published-10 Jul, 2026 | 09:05
Updated-10 Jul, 2026 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weak password hashing in R-SOFT DMS

R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash. This allows an attacker who obtain password hash to decode superadmin credentials. Critically, this password cannot be changed except by modifying the configuration file. This issue was fixed in version v3.17-2000.

Action-Not Available
Vendor-R-SOFT SERWIS
Product-DMS
CWE ID-CWE-328
Use of Weak Hash
CVE-2026-41878
Assigner-CERT.PL
ShareView Details
Assigner-CERT.PL
CVSS Score-7.1||HIGH
EPSS-0.47% / 37.59%
||
7 Day CHG~0.00%
Published-10 Jul, 2026 | 09:05
Updated-10 Jul, 2026 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Direct Object Reference in R-SOFT DMS

R-SOFT DMS is vulnerable to Insecure Direct Object Reference (IDOR) attack in multiple file download endpoints. The application fetches files from the database by ID and serves them to whoever requests them, relying only on session authentication, meaning any valid user can access any file. This issue was fixed in version v3.19-2862 and v3.17-2580.

Action-Not Available
Vendor-R-SOFT SERWIS
Product-DMS
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-41880
Assigner-CERT.PL
ShareView Details
Assigner-CERT.PL
CVSS Score-9||CRITICAL
EPSS-1.33% / 67.88%
||
7 Day CHG~0.00%
Published-10 Jul, 2026 | 09:05
Updated-10 Jul, 2026 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection in R-SOFT DMS

R-SOFT DMS is vulnerable to OS Command Injection in the Optical Character Recognition (OCR) module. Multiple command execution functions accept user-controllable file paths without proper sanitization before passing them to the system shell via SSH. In current infrastructure the URL encoding neutralizes the injection during the standard web upload flow. An authenticated attacker who is able to trigger the OCR functionality for the uploaded file can execute OS commands within the context of a root user. This issue was fixed in version v3.19-2862 and v3.17-2580.

Action-Not Available
Vendor-R-SOFT SERWIS
Product-DMS
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2026-41877
Assigner-CERT.PL
ShareView Details
Assigner-CERT.PL
CVSS Score-5.1||MEDIUM
EPSS-0.39% / 31.23%
||
7 Day CHG~0.00%
Published-10 Jul, 2026 | 09:05
Updated-10 Jul, 2026 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored XSS in R-SOFT DMS

R-SOFT DMS is vulnerable to Stored XSS in file upload functionality. Authenticated attacker can inject arbitrary HTML and JS into the name of the file being uploaded, which will be executed when visiting file list or upload status by other users. This issue was fixed in version v3.19-2832 and v3.17-2580.

Action-Not Available
Vendor-R-SOFT SERWIS
Product-DMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-41876
Assigner-CERT.PL
ShareView Details
Assigner-CERT.PL
CVSS Score-8.7||HIGH
EPSS-1.23% / 65.48%
||
7 Day CHG~0.00%
Published-10 Jul, 2026 | 09:05
Updated-10 Jul, 2026 | 11:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection in R-SOFT DMS

R-SOFT DMS is vulnerable to OS Command Injection in konwertujAction() function. The document converter executes shell commands using unsanitized file paths and format parameters. This allows an authenticated attacker to execute arbitrary system commands with the privileges of the web server user. This issue was fixed in version v3.19-2752 and v3.17-2580.

Action-Not Available
Vendor-R-SOFT SERWIS
Product-DMS
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')