Back to overview

CVE-2026-46621

CRITICAL Exploitation: PoC
9.1
CVSS 3.1
Description
Yamcs is a mission control framework. Prior to 5.12.7, the Yamcs script evaluation engine for Python algorithms dynamically compiled and evaluated user-controlled algorithm text using Jython through the JSR-223 ScriptEngine API without enforcing a secure sandbox, so an authenticated user with the ChangeMissionDatabase privilege could override an existing Python algorithm's logic through the mission database REST API and import and execute arbitrary Java classes such as java.lang.Runtime to achieve remote code execution on the underlying host operating system. This issue is fixed in versions 5.12.7 and 5.13.0, which disable algorithm editing by default.

Metadata

CVE ID
CVE-2026-46621
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-15 19:34 UTC
Published
2026-07-16 16:07 UTC
Last updated
2026-07-16 18:00 UTC
Primary CWE
CWE-94
CWE-94: Improper Control of Generation of Code ('Code Inject…
Vendor / Product
yamcs / yamcs
Sources
cve.org  ·  NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
yamcs yamcs < 5.12.7
Weakness (CWE)
CWESourceDescription
CWE-94 cna CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.1 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References (5)
Back to overview