CVE-2026-44672

Summary

mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code in Dynamic table without being authenticated. This vulnerability is fixed in 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3.

Affected Software

VendorProductVersion RangeStatus
mapfishmapfish-print>= 3.23.0, < 3.28.28affected
mapfishmapfish-print>= 3.29.0, < 3.30.30affected
mapfishmapfish-print>= 3.31.0, < 3.31.21affected
mapfishmapfish-print>= 3.32.0, < 3.33.14affected
mapfishmapfish-print>= 3.34.0, < 4.0.3affected
camptocampmapfish_print>= 3.23.0, < 3.28.28affected
camptocampmapfish_print>= 3.29.0, < 3.30.30affected
camptocampmapfish_print>= 3.31.0, < 3.31.21affected
camptocampmapfish_print>= 3.32.0, < 3.33.14affected
camptocampmapfish_print>= 3.34.0, < 4.0.3affected
org.mapfishprint.print-lib>= 3.23.0, < 3.28.28affected
org.mapfishprint.print-lib>= 3.29.0, < 3.30.30affected
org.mapfishprint.print-lib>= 3.31.0, < 3.31.21affected
org.mapfishprint.print-lib>= 3.32.0, < 3.33.14affected
org.mapfishprint.print-lib>= 3.34.0, < 4.0.3affected
org.mapfishprint.print-servlet>= 3.23.0, < 3.28.28affected
org.mapfishprint.print-servlet>= 3.29.0, < 3.30.30affected
org.mapfishprint.print-servlet>= 3.31.0, < 3.31.21affected
org.mapfishprint.print-servlet>= 3.32.0, < 3.33.14affected
org.mapfishprint.print-servlet>= 3.34.0, < 4.0.3affected

Weaknesses

  • CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References