{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "3.23.0"
              },
              {
                "fixed": "3.28.28"
              },
              {
                "introduced": "3.29.0"
              },
              {
                "fixed": "3.30.30"
              },
              {
                "introduced": "3.31.0"
              },
              {
                "fixed": "3.31.21"
              },
              {
                "introduced": "3.34.0"
              },
              {
                "fixed": "4.0.3"
              },
              {
                "introduced": "3.32.0"
              },
              {
                "fixed": "3.33.14"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "f90934635ebd06a6cb904e9adf8e80c2ce566609"
            },
            {
              "fixed": "ead60e1d438a6a8e04cff6e058017447ffe71219"
            },
            {
              "introduced": "0"
            },
            {
              "fixed": "b31b85154dc2c399b40df36aa40268c13975f1fb"
            },
            {
              "fixed": "37629e0fa7df40e33c932cbe46b29366c4b14eb1"
            },
            {
              "fixed": "99546fc6e2d6fff9e48fe1ccb6b9dc66de01e75c"
            },
            {
              "introduced": "b4183098cf4df8e3baffdcb2757bb1f0a6c76853"
            },
            {
              "fixed": "e5fc8c066664705c4754df7df856fe18d95849cf"
            }
          ],
          "repo": "https://github.com/mapfish/mapfish-print",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-q7m6-wpvf-mvwx"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44672.json"
  },
  "details": "mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code  in Dynamic table without being authenticated. This vulnerability is fixed in 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3.",
  "id": "CVE-2026-44672",
  "modified": "2026-07-15T01:48:56.284171697Z",
  "published": "2026-05-28T14:35:29.378Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44672.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/mapfish/mapfish-print/security/advisories/GHSA-q7m6-wpvf-mvwx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44672"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "mapfish-print: Remote Code Injection (RCE) in Dynamic table"
}