Maven package
org.geoserver.web/gs-web-app
pkg:maven/org.geoserver.web/gs-web-app
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-21621 | — | < 2.25.0 | 2.25.0 | Nov 25, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript | ||
| CVE-2025-58360 | — | KEV | >= 2.26.0, < 2.26.2 | 2.26.2 | Nov 25, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms | |
| CVE-2025-30220 | — | >= 2.27.0, < 2.27.1 | 2.27.1 | Jun 10, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd- | ||
| CVE-2025-30145 | — | >= 2.26.0, < 2.26.3 | 2.26.3 | Jun 10, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of serv | ||
| CVE-2025-27505 | — | >= 2.26.0, < 2.26.3 | 2.26.3 | Jun 10, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST | ||
| CVE-2024-40625 | — | < 2.26.0 | 2.26.0 | Jun 10, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no restri | ||
| CVE-2024-38524 | — | >= 2.26.0, < 2.26.2 | 2.26.2 | Jun 10, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system prop | ||
| CVE-2024-34711 | — | < 2.25.0 | 2.25.0 | Jun 10, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoSe | ||
| CVE-2024-35230 | — | >= 2.0.0, < 2.25.1 | 2.25.1 | Dec 16, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This infor | ||
| CVE-2024-36401 | — | KEV | >= 2.24.0, < 2.24.4 | 2.24.4 | Jul 1, 2024 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a defau | |
| CVE-2024-34696 | — | >= 2.10.0, < 2.24.4 | 2.24.4 | Jul 1, 2024 | GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with a | ||
| CVE-2024-24749 | — | < 2.23.5 | 2.23.5 | Jul 1, 2024 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.5 and 2.24.3, if GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation | ||
| CVE-2023-41339 | — | < 2.22.5 | 2.22.5 | Oct 24, 2023 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the | ||
| CVE-2008-7227 | — | < 1.6.1 | 1.6.1 | Sep 14, 2009 | PartialBufferOutputStream2 in GeoServer before 1.6.1 and 1.7.0-beta1 attempts to flush buffer contents even when it is handling an "in memory buffer," which prevents the reporting of a service exception, with unknown impact and attack vectors. |
- CVE-2025-21621Nov 25, 2025affected < 2.25.0fixed 2.25.0
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript
- affected >= 2.26.0, < 2.26.2fixed 2.26.2
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms
- CVE-2025-30220Jun 10, 2025affected >= 2.27.0, < 2.27.1fixed 2.27.1
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-
- CVE-2025-30145Jun 10, 2025affected >= 2.26.0, < 2.26.3fixed 2.26.3
GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of serv
- CVE-2025-27505Jun 10, 2025affected >= 2.26.0, < 2.26.3fixed 2.26.3
GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST
- CVE-2024-40625Jun 10, 2025affected < 2.26.0fixed 2.26.0
GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no restri
- CVE-2024-38524Jun 10, 2025affected >= 2.26.0, < 2.26.2fixed 2.26.2
GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system prop
- CVE-2024-34711Jun 10, 2025affected < 2.25.0fixed 2.25.0
GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoSe
- CVE-2024-35230Dec 16, 2024affected >= 2.0.0, < 2.25.1fixed 2.25.1
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This infor
- affected >= 2.24.0, < 2.24.4fixed 2.24.4
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a defau
- CVE-2024-34696Jul 1, 2024affected >= 2.10.0, < 2.24.4fixed 2.24.4
GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with a
- CVE-2024-24749Jul 1, 2024affected < 2.23.5fixed 2.23.5
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.5 and 2.24.3, if GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation
- CVE-2023-41339Oct 24, 2023affected < 2.22.5fixed 2.22.5
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the
- CVE-2008-7227Sep 14, 2009affected < 1.6.1fixed 1.6.1
PartialBufferOutputStream2 in GeoServer before 1.6.1 and 1.7.0-beta1 attempts to flush buffer contents even when it is handling an "in memory buffer," which prevents the reporting of a service exception, with unknown impact and attack vectors.