{"id":81794,"date":"2026-07-10T13:46:24","date_gmt":"2026-07-10T10:16:24","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-41880-os-command-injection-in-r-soft-dms\/"},"modified":"2026-07-10T13:46:24","modified_gmt":"2026-07-10T10:16:24","slug":"cve-2026-41880-os-command-injection-in-r-soft-dms","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-41880-os-command-injection-in-r-soft-dms\/","title":{"rendered":"CVE-2026-41880 &#8211; OS Command Injection in R-SOFT DMS"},"content":{"rendered":"<p>CVE ID :CVE-2026-41880<\/p>\n<p>  Published : July 10, 2026, 10:16 a.m. | 1\u00a0hour, 32\u00a0minutes ago<\/p>\n<p>  Description :R-SOFT DMS is vulnerable to\u00a0OS Command Injection in the Optical Character Recognition (OCR) module. Multiple command execution functions accept user-controllable file paths without proper sanitization before passing them to the system shell via SSH. In current infrastructure the URL encoding neutralizes the injection during the standard web upload flow. An authenticated attacker who\u00a0is able to trigger the OCR functionality for the uploaded file can execute OS commands within the context of a root user.<\/p>\n<p>This issue was fixed in version\u00a0v3.19-2862\u00a0and v3.17-2580.<\/p>\n<p>  Severity: 9.0 | CRITICAL<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-41880 Published : July 10, 2026, 10:16 a.m. | 1\u00a0hour, 32\u00a0minutes ago Description :R-SOFT DMS is vulnerable to\u00a0OS Command Injection in the Optical Character Recognition (OCR) module. Multiple command execution functions accept user-controllable file paths without proper sanitization before passing them to the system shell via SSH. In current infrastructure the URL encoding &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-81794","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81794","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=81794"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/81794\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=81794"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=81794"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=81794"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}