VYPR
Medium severity6.1NVD Advisory· Published May 8, 2026· Updated May 14, 2026

CVE-2026-42030

CVE-2026-42030

Description

MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • MapServer/Mapserverreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: >=6.0, <8.6.2
  • cpe:2.3:a:osgeo:mapserver:*:*:*:*:*:*:*:*
    Range: >=6.0.0,<8.6.2

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.