Maven package
org.geoserver/gs-wms
pkg:maven/org.geoserver/gs-wms
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-21621 | — | < 2.25.0 | 2.25.0 | Nov 25, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript | ||
| CVE-2025-58360 | — | KEV | >= 2.26.0, < 2.26.2 | 2.26.2 | Nov 25, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms | |
| CVE-2025-30145 | — | >= 2.26.0, < 2.26.3 | 2.26.3 | Jun 10, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of serv | ||
| CVE-2024-36401 | — | KEV | >= 2.24.0, < 2.24.4 | 2.24.4 | Jul 1, 2024 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a defau | |
| CVE-2024-23818 | — | < 2.23.3 | 2.23.3 | Mar 20, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.1 that enables an authenticated administrator with workspace-level privil | ||
| CVE-2024-23642 | — | < 2.23.4 | 2.23.4 | Mar 20, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level privil | ||
| CVE-2023-41339 | — | < 2.22.5 | 2.22.5 | Oct 24, 2023 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the | ||
| CVE-2023-35042 | — | < 2.18.6 | 2.18.6 | Jun 12, 2023 | GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in |
- CVE-2025-21621Nov 25, 2025affected < 2.25.0fixed 2.25.0
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript
- affected >= 2.26.0, < 2.26.2fixed 2.26.2
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms
- CVE-2025-30145Jun 10, 2025affected >= 2.26.0, < 2.26.3fixed 2.26.3
GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of serv
- affected >= 2.24.0, < 2.24.4fixed 2.24.4
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a defau
- CVE-2024-23818Mar 20, 2024affected < 2.23.3fixed 2.23.3
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.1 that enables an authenticated administrator with workspace-level privil
- CVE-2024-23642Mar 20, 2024affected < 2.23.4fixed 2.23.4
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level privil
- CVE-2023-41339Oct 24, 2023affected < 2.22.5fixed 2.22.5
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the
- CVE-2023-35042Jun 12, 2023affected < 2.18.6fixed 2.18.6
GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in