Back to overview

CVE-2026-46562

CRITICAL Exploitation: PoC
9.8
CVSS 3.1
Description
Yamcs is a mission control framework. Prior to 5.12.7, the Nashorn ScriptEngine used to evaluate user-supplied JavaScript algorithm text in yamcs-core/src/main/java/org/yamcs/algorithms/ScriptAlgorithmExecutorFactory.java was constructed without a ClassFilter, so a user with the ChangeMissionDatabase privilege could override an algorithm through the MdbOverrideApi.updateAlgorithm endpoint and supply JavaScript that reaches arbitrary Java classes (for example Java.type("java.lang.Runtime").getRuntime().exec(...)) to execute arbitrary OS commands as the Yamcs process; in the default configuration with no security.yaml the built-in guest user has superuser=true, making the issue reachable without authentication. This issue is fixed in versions 5.12.7 and 5.13.0, which disable algorithm editing by default.

Metadata

CVE ID
CVE-2026-46562
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-14 20:42 UTC
Published
2026-07-16 16:06 UTC
Last updated
2026-07-16 18:02 UTC
Primary CWE
CWE-94
CWE-94: Improper Control of Generation of Code ('Code Inject…
Vendor / Product
yamcs / yamcs
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
yamcs yamcs < 5.12.7
Weakness (CWE)
CWESourceDescription
CWE-470 cna CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-94 cna CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-95 cna CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References (5)
Back to overview