CVE-2026-44672 — Mapfish Print: Remote Code Injection (RCE) in Dynamic table

Description

### Impact The attacker can execute arbitrary code without being authenticated ### Mitigation Upgrade to a patched version (please check affected/patched version matrix) ### Credits Bug Bounty of Canton du Jura

How to fix CVE-2026-44672

To remediate CVE-2026-44672, upgrade the affected package to a fixed version below.

Maven/org.mapfish.print:print-lib—upgrade to 3.28.28 or later
Maven/org.mapfish.print:print-servlet—upgrade to 3.28.28 or later

Is CVE-2026-44672 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 3.23.0, < 3.28.28
>= 3.23.0, < 3.28.28

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-44672
PATCHgithub.com/mapfish/mapfish-print
WEBgithub.com/mapfish/mapfish-print/security/advisories/GHSA-q7m6-wpvf-mvwx