CVE-2026-41877 in DMSinfo

Summary

by MITRE • 07/10/2026

R-SOFT DMS is vulnerable to Stored XSS in file upload functionality. Authenticated attacker can inject arbitrary HTML and JS into the name of the file being uploaded, which will be executed when visiting file list or upload status by other users.

This issue was fixed in version v3.19-2832 and v3.17-2580.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The R-SOFT DMS system presents a critical stored cross-site scripting vulnerability within its file upload functionality that enables authenticated attackers to execute malicious code against other users who view the affected file listings. This vulnerability stems from insufficient input validation and output sanitization mechanisms when processing file names during the upload process. The flaw allows an attacker with valid credentials to inject arbitrary HTML and JavaScript code directly into the filename field, which then gets stored within the system's database or file metadata structures.

The technical implementation of this vulnerability occurs at the application layer where user-supplied data enters the system without proper sanitization before being rendered in subsequent web page displays. When other users navigate to file lists or upload status pages, the malicious script contained within the filename executes in their browser context, potentially leading to session hijacking, credential theft, or redirection to malicious sites. This represents a classic stored XSS attack pattern where the payload persists server-side and executes automatically when viewed by victims.

The operational impact of this vulnerability extends beyond simple script execution as it creates a persistent backdoor for attackers to maintain access to the system. The attack requires only authentication privileges which are typically more easily obtained than exploiting other system vulnerabilities, making this particularly dangerous in environments where user access controls may be insufficiently enforced. When combined with the fact that the vulnerability affects multiple versions of the software, it poses significant risk to organizations that have not yet upgraded their installations.

Security professionals should note this vulnerability aligns with CWE-079 which specifically addresses cross-site scripting flaws, and maps to ATT&CK technique T1566.001 for initial access through malicious file uploads. Organizations affected by this vulnerability must implement immediate mitigations including input validation of all user-supplied data, output encoding of file names in web contexts, and comprehensive application security testing. The fix implemented in versions v3.19-2832 and v3.17-2580 demonstrates the vendor's response to this security issue through proper code remediation that addresses the root cause by sanitizing user inputs before storage.

The broader implications for system security include the need for comprehensive input validation across all user-facing interfaces, regular security assessments of file handling processes, and continuous monitoring for similar vulnerabilities in third-party components. Organizations should also consider implementing additional controls such as web application firewalls and automated scanning tools to detect potential exploitation attempts. This vulnerability highlights the critical importance of validating and sanitizing all user inputs regardless of their expected format or source, particularly when dealing with file operations that may be displayed to multiple users within a collaborative environment.

The remediation process requires organizations to not only upgrade to the patched versions but also to conduct thorough security reviews of existing data to ensure no malicious payloads have been previously stored in the system. Additionally, implementing proper access controls and monitoring for unusual upload patterns can help detect potential exploitation attempts before they can cause significant damage to the system or compromise user data integrity.

Responsible

CERT-PL

Reservation

04/22/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!