CVE-2026-46621: Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection

May 27, 2026

A Server-Side Code Injection vulnerability exists in the Yamcs script evaluation engine for Python algorithms. The application dynamically compiles and evaluates user-controlled algorithm text using Jython (via the JSR-223 ScriptEngine API) without enforcing a secure sandbox. An authenticated user with the ChangeMissionDatabase privilege can exploit this by overriding the algorithm logic through the REST API, achieving Remote Code Execution (RCE) on the underlying host operating system.

References

github.com/advisories/GHSA-2g95-6x5q-xjwj
github.com/yamcs/yamcs/security/advisories/GHSA-2g95-6x5q-xjwj
nvd.nist.gov/vuln/detail/CVE-2026-46621

Code Behaviors & Features

Detect and mitigate CVE-2026-46621 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →