CVE-2026-41880

CRITICAL

CVSS v4.0: 9.0 · EPSS: 0.0133 (67.7 percentile)

NetworkNo user interactionOS Command Injection

Source data as of:

At a glance

Severity
CRITICAL
CVSS
9.0 v4.0 · NVD
EPSS
0.0133 (67.7 percentile) · FIRST.org
CISA KEV
No
Type
OS Command Injection · NVD CWE
Attack conditions (CVSS vector)
NetworkNo user interaction · Source: NVD Vector
Published
2026-07-10 · Modified: 2026-07-10

CVSS / EPSS / KEV

CVSS v4.0 9.0 / 10 CRITICAL Source: NVD
EPSS 0.0133 67.7 percentile Source: FIRST.org
CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

R-SOFT DMS is vulnerable to OS Command Injection in the Optical Character Recognition (OCR) module. Multiple command execution functions accept user-controllable file paths without proper sanitization before passing them to the system shell via SSH. In current infrastructure the URL encoding neutralizes the injection during the standard web upload flow. An authenticated attacker who is able to trigger the OCR functionality for the uploaded file can execute OS commands within the context of a root user. This issue was fixed in version v3.19-2862 and v3.17-2580.

Record details

CVE ID
CVE-2026-41880
CVSS (v4.0)
9.0 (CRITICAL)
Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS
0.0133 (67.7 percentile) — 2026-07-11
CISA KEV
No
Weakness (CWE)
CWE-78
Affected configurations (CPE)
0
Published
2026-07-10
Modified
2026-07-10
Status
Deferred

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.