CVE-2026-44672 PUBLISHED

mapfish-print: Remote Code Injection (RCE) in Dynamic table

Assigner: GitHub_M
Reserved: 07.05.2026 Published: 28.05.2026 Updated: 28.05.2026

mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code in Dynamic table without being authenticated. This vulnerability is fixed in 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 9.3

Product Status

Vendor mapfish
Product mapfish-print
Versions
  • Version >= 3.23.0, < 3.28.28 is affected
  • Version >= 3.29.0, < 3.30.30 is affected
  • Version >= 3.31.0, < 3.31.21 is affected
  • Version >= 3.32.0, < 3.33.14 is affected
  • Version >= 3.34.0, < 4.0.3 is affected
Vendor camptocamp
Product mapfish_print
Versions
  • Version >= 3.23.0, < 3.28.28 is affected
  • Version >= 3.29.0, < 3.30.30 is affected
  • Version >= 3.31.0, < 3.31.21 is affected
  • Version >= 3.32.0, < 3.33.14 is affected
  • Version >= 3.34.0, < 4.0.3 is affected
Vendor org.mapfish
Product print.print-lib
Versions
  • Version >= 3.23.0, < 3.28.28 is affected
  • Version >= 3.29.0, < 3.30.30 is affected
  • Version >= 3.31.0, < 3.31.21 is affected
  • Version >= 3.32.0, < 3.33.14 is affected
  • Version >= 3.34.0, < 4.0.3 is affected
Vendor org.mapfish
Product print.print-servlet
Versions
  • Version >= 3.23.0, < 3.28.28 is affected
  • Version >= 3.29.0, < 3.30.30 is affected
  • Version >= 3.31.0, < 3.31.21 is affected
  • Version >= 3.32.0, < 3.33.14 is affected
  • Version >= 3.34.0, < 4.0.3 is affected

References

Problem Types

  • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE