CVE-2026-44632: Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`

May 27, 2026

A Server-Side Code Injection vulnerability exists in the Yamcs algorithm evaluation engine (org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory). The application dynamically compiles and evaluates user-controlled algorithm text without enforcing a secure sandbox. An authenticated user with the ChangeMissionDatabase privilege can exploit this to achieve Remote Code Execution (RCE) on the underlying host operating system via the Janino compiler.

References

github.com/advisories/GHSA-524g-x36v-9wm6
github.com/yamcs/yamcs/security/advisories/GHSA-524g-x36v-9wm6
nvd.nist.gov/vuln/detail/CVE-2026-44632

Code Behaviors & Features

Detect and mitigate CVE-2026-44632 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →