Yamcs is a mission control framework. Prior to 5.12.7, the Yamcs script evaluation engine for Python algorithms dynamically compiled and evaluated user-controlled algorithm text using Jython through the JSR-223 ScriptEngine API without enforcing a secure sandbox, so an authenticated user with the ChangeMissionDatabase privilege could override an existing Python algorithm's logic through the mission database REST API and import and execute arbitrary Java classes such as java.lang.Runtime to achieve remote code execution on the underlying host operating system. This issue is fixed in versions 5.12.7 and 5.13.0, which disable algorithm editing by default.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-2g95-6x5q-xjwj | Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 16 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 16 Jul 2026 17:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Yamcs
Yamcs yamcs |
|
| Vendors & Products |
Yamcs
Yamcs yamcs |
Thu, 16 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Yamcs is a mission control framework. Prior to 5.12.7, the Yamcs script evaluation engine for Python algorithms dynamically compiled and evaluated user-controlled algorithm text using Jython through the JSR-223 ScriptEngine API without enforcing a secure sandbox, so an authenticated user with the ChangeMissionDatabase privilege could override an existing Python algorithm's logic through the mission database REST API and import and execute arbitrary Java classes such as java.lang.Runtime to achieve remote code execution on the underlying host operating system. This issue is fixed in versions 5.12.7 and 5.13.0, which disable algorithm editing by default. | |
| Title | Yamcs: Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection | |
| Weaknesses | CWE-94 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T18:00:50.323Z
Reserved: 2026-05-15T19:34:14.012Z
Link: CVE-2026-46621
Updated: 2026-07-16T18:00:00.790Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T17:30:03Z
Weaknesses
Github GHSA