Attack Chain

1. The attacker crafts a malicious HTTP request targeting the Dynamic table functionality in Mapfish Print.
2. This request contains a payload designed to inject arbitrary code into the server-side processing logic.
3. The injected code leverages a vulnerability in how Mapfish Print handles data within the Dynamic table component.
4. Mapfish Print processes the malicious request, inadvertently executing the injected code.
5. The injected code gains access to the underlying operating system with the privileges of the Mapfish Print application.
6. The attacker uses the gained access to execute system commands.
7. The attacker deploys a reverse shell to establish a persistent connection to the compromised server.
8. The attacker pivots within the network to compromise additional systems or exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-44672 allows unauthenticated attackers to execute arbitrary code on systems running vulnerable versions of Mapfish Print. This can lead to complete system compromise, data theft, and disruption of services. The number of affected installations is currently unknown, but organizations using Mapfish Print for critical mapping and printing services are at high risk.

Recommendation

• Immediately upgrade Mapfish Print print-lib and print-servlet components to a patched version greater than or equal to 3.28.28, 3.30.30, 3.31.21, 3.33.14, or 4.0.3, as indicated in the advisory.
• Deploy the Sigma rule to detect exploitation attempts targeting CVE-2026-44672 by monitoring for suspicious HTTP requests.
• Review network traffic to Mapfish Print servers for unusual patterns or connections originating from unexpected locations.
• Implement strict input validation and sanitization measures to prevent code injection vulnerabilities.