CVE-2026-44672
Remote Code Execution in MapFish Print
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mapfish | mapfish-print | From 3.23.0 (inc) to 3.28.28 (exc) |
| mapfish | mapfish-print | 3.28.28 |
| mapfish | mapfish-print | 3.30.30 |
| mapfish | mapfish-print | 3.31.22 |
| mapfish | mapfish-print | 3.33.14 |
| mapfish | mapfish-print | 4.0.3 |
| mapfish | mapfish-print | From 3.29.0 (inc) to 3.30.30 (exc) |
| mapfish | mapfish-print | From 3.31.0 (inc) to 3.31.21 (exc) |
| mapfish | mapfish-print | From 3.32.0 (inc) to 3.33.14 (exc) |
| mapfish | mapfish-print | From 3.34.0 (inc) to 4.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44672 is a critical Remote Code Execution (RCE) vulnerability found in the Dynamic table feature of the mapfish-print software, a component used for printing templated cartographic maps.
This vulnerability allows an attacker to execute arbitrary code on the affected system without needing to authenticate, due to improper control over code generation (a code injection flaw, CWE-94).
It affects multiple versions of mapfish-print, specifically versions from 3.23.0 up to but not including 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, where the issue has been fixed.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker to execute arbitrary code remotely without authentication.
An attacker exploiting this flaw could take full control of the affected system, potentially leading to data theft, system compromise, disruption of services, or further attacks within the network.
Given the critical severity rating and the ease of exploitation (no authentication required), the risk to affected systems is very high.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-44672 vulnerability in mapfish-print, you should upgrade your software to one of the patched versions.
- Upgrade to version 3.28.28 or later within the 3.28.x series.
- Upgrade to version 3.30.30 or later within the 3.30.x series.
- Upgrade to version 3.31.22 or later within the 3.31.x series.
- Upgrade to version 3.33.14 or later within the 3.33.x series.
- Upgrade to version 4.0.3 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute arbitrary code without authentication, which poses a severe security risk. Such a critical remote code execution flaw can lead to unauthorized access, data breaches, and potential compromise of sensitive information.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized code execution typically undermine the security controls required by these regulations. This can result in non-compliance due to failure to protect personal or sensitive data adequately.