CVE-2026-41876

R-SOFT · SERWIS DMS

R-SOFT SERWIS DMS is vulnerable to OS Command Injection via the konwertujAction() function, potentially allowing an authenticated attacker to execute arbitrary system commands.

Executive summary

An OS command injection vulnerability in R-SOFT SERWIS DMS allows authenticated attackers to execute arbitrary system commands, posing a critical risk to underlying server integrity.

Vulnerability

This vulnerability is an OS Command Injection (CWE-78) occurring within the konwertujAction() function. It requires the attacker to have an authenticated session to trigger the injection point.

Business impact

Successful exploitation of this vulnerability allows for remote code execution on the host server with the privileges of the application process. Given the CVSS score of 8.7, this represents a high risk of complete system compromise, unauthorized data access, and potential lateral movement within the network.

Remediation

Immediate Action: Update R-SOFT SERWIS DMS to version v3.19-2752 or v3.17-2580 or later as specified by the vendor.

Proactive Monitoring: Review application and system access logs for anomalous execution patterns or unexpected shell commands originating from the web application user.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block suspicious input containing command-line characters or shell metacharacters in HTTP requests.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this vulnerability necessitates immediate patching. Organizations should prioritize updating their instances of R-SOFT SERWIS DMS to the versions specified to eliminate the command injection vector.