Executive Summary

CVE-2026-44672 is a critical Remote Code Execution (RCE) vulnerability found in the Dynamic table feature of the mapfish-print software, a component used for printing templated cartographic maps.

This vulnerability allows an attacker to execute arbitrary code on the affected system without needing to authenticate, due to improper control over code generation (a code injection flaw, CWE-94).

It affects multiple versions of mapfish-print, specifically versions from 3.23.0 up to but not including 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, where the issue has been fixed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to execute arbitrary code remotely without authentication.

An attacker exploiting this flaw could take full control of the affected system, potentially leading to data theft, system compromise, disruption of services, or further attacks within the network.

Given the critical severity rating and the ease of exploitation (no authentication required), the risk to affected systems is very high.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the CVE-2026-44672 vulnerability in mapfish-print, you should upgrade your software to one of the patched versions.

• Upgrade to version 3.28.28 or later within the 3.28.x series.
• Upgrade to version 3.30.30 or later within the 3.30.x series.
• Upgrade to version 3.31.22 or later within the 3.31.x series.
• Upgrade to version 3.33.14 or later within the 3.33.x series.
• Upgrade to version 4.0.3 or later.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to execute arbitrary code without authentication, which poses a severe security risk. Such a critical remote code execution flaw can lead to unauthorized access, data breaches, and potential compromise of sensitive information.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized code execution typically undermine the security controls required by these regulations. This can result in non-compliance due to failure to protect personal or sensitive data adequately.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects specific versions of mapfish-print, particularly those within the ranges >=3.23.0,<3.28.28; >=3.29.0,<3.30.30; >=3.31.0,<3.31.21; >=3.32.0,<3.33.14; and >=3.34.0,<4.0.3. Detection primarily involves identifying the installed version of mapfish-print on your system.

To detect if your system is vulnerable, you can check the version of mapfish-print installed. For example, if mapfish-print is installed as a package or binary, you might run commands like:

• mapfish-print --version
• dpkg -l | grep mapfish-print (on Debian-based systems)
• rpm -qa | grep mapfish-print (on RedHat-based systems)

Additionally, monitoring network traffic for suspicious requests targeting the Dynamic table feature of mapfish-print could help detect exploitation attempts, but no specific detection commands or signatures are provided in the available information.

The recommended mitigation is to upgrade mapfish-print to one of the patched versions: 3.28.28, 3.30.30, 3.31.22, 3.33.14, or 4.0.3.

Useful 0 Not Useful 0