Description
mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code in Dynamic table without being authenticated. This vulnerability is fixed in 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3.
Published: 2026-05-28
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Arbitrary code execution is possible through the Dynamic Table functionality of the MapFish Print component, which is used for rendering templated cartographic maps. The vulnerability is a form of code injection (CWE‑94) and allows an unauthenticated attacker to supply malicious input that is executed on the server side. The lack of authentication requirements and the breadth of the code injection capability mean that a successful exploit can compromise the entire hosting environment, leading to complete loss of confidentiality, integrity, and availability.

Affected Systems

Affected are the MapFish Print products from the vendors camptocamp, mapfish, and org.mapfish. The vulnerability applies to MapFish Print versions from 3.23.0 through 3.28.27, 3.30.0 through 3.30.29, 3.31.0 through 3.31.21, 3.33.0 through 3.33.13, and 4.0.0 through 4.0.2. All of these versions are remediated in versions 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. Although an EPSS score is not available, the absence of authentication checks and the high impact of code injection suggest that exploitation could occur frequently if the vulnerable component is exposed to the internet. The vulnerability is not listed in the CISA KEV catalog, but its potential for unprivileged remote code execution makes it a high priority for remediation.

Generated by OpenCVE AI on May 28, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MapFish Print to version 3.28.28 or later, 3.30.30 or later, 3.31.22 or later, 3.33.14 or later, or 4.0.3 or later to apply the vendor‑supplied fix
  • If an upgrade is not immediately possible, isolate the MapFish Print service from external networks and enforce strict access controls to prevent unauthenticated access
  • Review and harden configuration settings for Dynamic Table processing to ensure that only trusted input is accepted, and consider disabling Dynamic Table functionality if not required

Generated by OpenCVE AI on May 28, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q7m6-wpvf-mvwx Mapfish Print: Remote Code Injection (RCE) in Dynamic table
History

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code in Dynamic table without being authenticated. This vulnerability is fixed in 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3.
Title mapfish-print: Remote Code Injection (RCE) in Dynamic table
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T15:26:01.990Z

Reserved: 2026-05-07T16:20:08.659Z

Link: CVE-2026-44672

cve-icon Vulnrichment

Updated: 2026-05-28T15:25:54.912Z

cve-icon NVD

Status : Received

Published: 2026-05-28T16:16:24.843

Modified: 2026-05-28T16:16:24.843

Link: CVE-2026-44672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T16:30:15Z

Weaknesses