Critical severityGHSA Advisory· Published May 13, 2026· Updated May 13, 2026
Mapfish Print: Remote Code Injection (RCE) in Dynamic table
CVE-2026-44672
Description
Impact
The attacker can execute arbitrary code without being authenticated
Mitigation
Upgrade to a patched version (please check affected/patched version matrix)
Credits
Bug Bounty of Canton du Jura
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.mapfish.print:print-libMaven | >= 3.23.0, < 3.28.28 | 3.28.28 |
org.mapfish.print:print-libMaven | >= 3.29.0, < 3.30.30 | 3.30.30 |
org.mapfish.print:print-libMaven | >= 3.31.0, < 3.31.21 | 3.31.21 |
org.mapfish.print:print-libMaven | >= 3.32.0, < 3.33.14 | 3.33.14 |
org.mapfish.print:print-libMaven | >= 3.34.0, < 4.0.3 | 4.0.3 |
org.mapfish.print:print-servletMaven | >= 3.23.0, < 3.28.28 | 3.28.28 |
org.mapfish.print:print-servletMaven | >= 3.29.0, < 3.30.30 | 3.30.30 |
org.mapfish.print:print-servletMaven | >= 3.31.0, < 3.31.21 | 3.31.21 |
org.mapfish.print:print-servletMaven | >= 3.32.0, < 3.33.14 | 3.33.14 |
org.mapfish.print:print-servletMaven | >= 3.34.0, < 4.0.3 | 4.0.3 |
Affected products
1- Range: >= 3.34.0, < 4.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.