Vendor CVEs
Geoserver
All CVEs
33 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-27511 | hig | 0.45 | — | 0.01 | Jun 11, 2026 | ## Summary Administrator can perform JNDI attack through specially crafted DB2 jdbc url leading to Remote Code Execution (RCE). ## Impact If GeoServer has DB2 extension installed, this vulnerability can lead to executing arbitrary code. ## Details Authenticated users can… | ||
| CVE-2025-52465 | hig | 0.39 | — | 0.00 | Jun 12, 2026 | ### Summary A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be… | ||
| CVE-2025-58360 | 0.22 | — | 0.67 | KEV | Nov 25, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms… | ||
| CVE-2024-36401 | 0.16 | — | 1.00 | KEV | Jul 1, 2024 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a… | ||
| CVE-2023-43795 | 0.07 | — | 0.68 | Oct 24, 2023 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for… | |||
| CVE-2021-40822 | 0.07 | — | 0.19 | May 1, 2022 | GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host. | |||
| CVE-2023-35042 | 0.03 | — | 0.43 | Jun 12, 2023 | GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this… | |||
| CVE-2024-29198 | 0.01 | — | 0.02 | Jun 10, 2025 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2,… | |||
| CVE-2025-58175 | 0.00 | — | 0.00 | Jun 12, 2026 | ### Summary A GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). ### Details This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST`… | |||
| CVE-2025-21621 | 0.00 | — | 0.00 | Nov 25, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary… | |||
| CVE-2025-30220 | 0.00 | — | 0.51 | Jun 10, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with… | |||
| CVE-2025-30145 | 0.00 | — | 0.00 | Jun 10, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of… | |||
| CVE-2025-27505 | 0.00 | — | 0.01 | Jun 10, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The… | |||
| CVE-2024-40625 | 0.00 | — | 0.00 | Jun 10, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no… | |||
| CVE-2024-38524 | 0.00 | — | 0.00 | Jun 10, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system… | |||
| CVE-2024-34711 | 0.00 | — | 0.00 | Jun 10, 2025 | GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default,… | |||
| CVE-2024-35230 | 0.00 | — | 0.01 | Dec 16, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This… | |||
| CVE-2024-34696 | 0.00 | — | 0.00 | Jul 1, 2024 | GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with… | |||
| CVE-2024-24749 | 0.00 | — | 0.01 | Jul 1, 2024 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.5 and 2.24.3, if GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation… | |||
| CVE-2024-23821 | 0.00 | — | 0.00 | Mar 20, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level… | |||
| CVE-2024-23819 | 0.00 | — | 0.00 | Mar 20, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level… | |||
| CVE-2024-23818 | 0.00 | — | 0.00 | Mar 20, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.1 that enables an authenticated administrator with workspace-level… | |||
| CVE-2024-23643 | 0.00 | — | 0.00 | Mar 20, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.2 and 2.24.1 that enables an authenticated administrator with workspace-level… | |||
| CVE-2024-23642 | 0.00 | — | 0.00 | Mar 20, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level… | |||
| CVE-2024-23640 | 0.00 | — | 0.00 | Mar 20, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level… | |||
| CVE-2024-23634 | 0.00 | — | 0.01 | Mar 20, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores… | |||
| CVE-2023-51445 | 0.00 | — | 0.00 | Mar 20, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level… | |||
| CVE-2023-51444 | 0.00 | — | 0.02 | Mar 20, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file upload vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with permissions to modify coverage… | |||
| CVE-2023-41877 | 0.00 | — | 0.01 | Mar 20, 2024 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A path traversal vulnerability in versions 2.23.4 and prior requires GeoServer Administrator with access to the admin console to misconfigure the Global Settings for… | |||
| CVE-2023-41339 | 0.00 | — | 0.01 | Oct 24, 2023 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the… | |||
| CVE-2023-25157 | 0.00 | — | 0.85 | Feb 21, 2023 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service… | |||
| CVE-2022-24847 | 0.00 | — | 0.01 | Apr 13, 2022 | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code… | |||
| CVE-2008-7227 | 0.00 | — | 0.01 | Sep 14, 2009 | PartialBufferOutputStream2 in GeoServer before 1.6.1 and 1.7.0-beta1 attempts to flush buffer contents even when it is handling an "in memory buffer," which prevents the reporting of a service exception, with unknown impact and attack vectors. |
- risk 0.45cvss —epss 0.01
## Summary Administrator can perform JNDI attack through specially crafted DB2 jdbc url leading to Remote Code Execution (RCE). ## Impact If GeoServer has DB2 extension installed, this vulnerability can lead to executing arbitrary code. ## Details Authenticated users can…
- risk 0.39cvss —epss 0.00
### Summary A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be…
- risk 0.22cvss —epss 0.67
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms…
- risk 0.16cvss —epss 1.00
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a…
- CVE-2023-43795Oct 24, 2023risk 0.07cvss —epss 0.68
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for…
- CVE-2021-40822May 1, 2022risk 0.07cvss —epss 0.19
GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.
- CVE-2023-35042Jun 12, 2023risk 0.03cvss —epss 0.43
GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this…
- CVE-2024-29198Jun 10, 2025risk 0.01cvss —epss 0.02
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2,…
- CVE-2025-58175Jun 12, 2026risk 0.00cvss —epss 0.00
### Summary A GeoServer that uses `ENTITY_RESOLUTION_ALLOWLIST` may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF). ### Details This vulnerability requires that GeoServer is set up to use a proxy base URL and the `ENTITY_RESOLUTION_ALLOWLIST`…
- CVE-2025-21621Nov 25, 2025risk 0.00cvss —epss 0.00
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary…
- CVE-2025-30220Jun 10, 2025risk 0.00cvss —epss 0.51
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with…
- CVE-2025-30145Jun 10, 2025risk 0.00cvss —epss 0.00
GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of…
- CVE-2025-27505Jun 10, 2025risk 0.00cvss —epss 0.01
GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The…
- CVE-2024-40625Jun 10, 2025risk 0.00cvss —epss 0.00
GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no…
- CVE-2024-38524Jun 10, 2025risk 0.00cvss —epss 0.00
GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system…
- CVE-2024-34711Jun 10, 2025risk 0.00cvss —epss 0.00
GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default,…
- CVE-2024-35230Dec 16, 2024risk 0.00cvss —epss 0.01
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This…
- CVE-2024-34696Jul 1, 2024risk 0.00cvss —epss 0.00
GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with…
- CVE-2024-24749Jul 1, 2024risk 0.00cvss —epss 0.01
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.5 and 2.24.3, if GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation…
- CVE-2024-23821Mar 20, 2024risk 0.00cvss —epss 0.00
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level…
- CVE-2024-23819Mar 20, 2024risk 0.00cvss —epss 0.00
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level…
- CVE-2024-23818Mar 20, 2024risk 0.00cvss —epss 0.00
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.1 that enables an authenticated administrator with workspace-level…
- CVE-2024-23643Mar 20, 2024risk 0.00cvss —epss 0.00
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.2 and 2.24.1 that enables an authenticated administrator with workspace-level…
- CVE-2024-23642Mar 20, 2024risk 0.00cvss —epss 0.00
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level…
- CVE-2024-23640Mar 20, 2024risk 0.00cvss —epss 0.00
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level…
- CVE-2024-23634Mar 20, 2024risk 0.00cvss —epss 0.01
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores…
- CVE-2023-51445Mar 20, 2024risk 0.00cvss —epss 0.00
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level…
- CVE-2023-51444Mar 20, 2024risk 0.00cvss —epss 0.02
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file upload vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with permissions to modify coverage…
- CVE-2023-41877Mar 20, 2024risk 0.00cvss —epss 0.01
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A path traversal vulnerability in versions 2.23.4 and prior requires GeoServer Administrator with access to the admin console to misconfigure the Global Settings for…
- CVE-2023-41339Oct 24, 2023risk 0.00cvss —epss 0.01
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the…
- CVE-2023-25157Feb 21, 2023risk 0.00cvss —epss 0.85
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service…
- CVE-2022-24847Apr 13, 2022risk 0.00cvss —epss 0.01
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code…
- CVE-2008-7227Sep 14, 2009risk 0.00cvss —epss 0.01
PartialBufferOutputStream2 in GeoServer before 1.6.1 and 1.7.0-beta1 attempts to flush buffer contents even when it is handling an "in memory buffer," which prevents the reporting of a service exception, with unknown impact and attack vectors.