What is GHSA-q7m6-wpvf-mvwx?

GHSA-q7m6-wpvf-mvwx is a security advisory published by GitHub Security Advisories with Critical severity. Mapfish Print: Remote Code Injection (RCE) in Dynamic table

Which CVE IDs does GHSA-q7m6-wpvf-mvwx cover?

GHSA-q7m6-wpvf-mvwx covers the following CVE IDs: CVE-2026-44672. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-q7m6-wpvf-mvwx?

GHSA-q7m6-wpvf-mvwx affects 10 products, including: maven/org.mapfish.print:print-lib:\u003e= 3.23.0, \u003c 3.28.28; maven/org.mapfish.print:print-lib:\u003e= 3.29.0, \u003c 3.30.30; maven/org.mapfish.print:print-lib:\u003e= 3.31.0, \u003c 3.31.21; maven/org.mapfish.print:print-lib:\u003e= 3.32.0, \u003c 3.33.14; maven/org.mapfish.print:print-lib:\u003e= 3.34.0, \u003c 4.0.3; and others — see the full list on the advisory page.

GHSA-q7m6-wpvf-mvwxCritical

Mapfish Print: Remote Code Injection (RCE) in Dynamic table

Vendor

GitHub Security Advisories

Published

May 13, 2026

Last Modified

June 9, 2026

🔗 CVE IDs covered (1)

CVE-2026-44672 →

📋 Description

Impact

The attacker can execute arbitrary code without being authenticated

Mitigation

Upgrade to a patched version (please check affected/patched version matrix)

Credits

Bug Bounty of Canton du Jura

🎯 Affected products10

maven/org.mapfish.print:print-lib:>= 3.23.0, < 3.28.28
maven/org.mapfish.print:print-lib:>= 3.29.0, < 3.30.30
maven/org.mapfish.print:print-lib:>= 3.31.0, < 3.31.21
maven/org.mapfish.print:print-lib:>= 3.32.0, < 3.33.14
maven/org.mapfish.print:print-lib:>= 3.34.0, < 4.0.3
maven/org.mapfish.print:print-servlet:>= 3.23.0, < 3.28.28
maven/org.mapfish.print:print-servlet:>= 3.29.0, < 3.30.30
maven/org.mapfish.print:print-servlet:>= 3.31.0, < 3.31.21
maven/org.mapfish.print:print-servlet:>= 3.32.0, < 3.33.14
maven/org.mapfish.print:print-servlet:>= 3.34.0, < 4.0.3