CVE-2026-46562
Yamcs is a mission control framework. Prior to 5.12.7, the Nashorn ScriptEngine used to evaluate user-supplied JavaScript algorithm text in
CVSS
9.8
Crítico
EPSS
—
KEV
—
Exploit Today
0
0-100
Publicado: 16 jul 2026 · Última mod.: 16 jul 2026 · CWE-94 · CWE-95 · CWE-470
Sin historial EPSS suficiente todavía.
Yamcs is a mission control framework. Prior to 5.12.7, the Nashorn ScriptEngine used to evaluate user-supplied JavaScript algorithm text in yamcs-core/src/main/java/org/yamcs/algorithms/ScriptAlgorithmExecutorFactory.java was constructed without a ClassFilter, so a user with the ChangeMissionDatabase privilege could override an algorithm through the MdbOverrideApi.updateAlgorithm endpoint and supply JavaScript that reaches arbitrary Java classes (for example Java.type("java.lang.Runtime").getRuntime().exec(...)) to execute arbitrary OS commands as the Yamcs process; in the default configuration with no security.yaml the built-in guest user has superuser=true, making the issue reachable without authentication. This issue is fixed in versions 5.12.7 and 5.13.0, which disable algorithm editing by default.
- github.comhttps://github.com/yamcs/yamcs/commit/3c550348f866af4675d2ba4a51d8d12b7c7c6011
- github.comhttps://github.com/yamcs/yamcs/commit/4ff8fda642ea8c3309a4d3f379aa77b763148992
- github.comhttps://github.com/yamcs/yamcs/releases/tag/yamcs-5.12.7
- github.comhttps://github.com/yamcs/yamcs/releases/tag/yamcs-5.13.0
- github.comhttps://github.com/yamcs/yamcs/security/advisories/GHSA-vmwp-vh32-rj75
- github.comhttps://github.com/yamcs/yamcs/security/advisories/GHSA-vmwp-vh32-rj75