CVE-2025-58360

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-58360
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58360.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-58360
Aliases
Published
2025-11-25T20:17:35.254Z
Modified
2025-11-27T12:48:44.092530Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L CVSS Calculator
Summary
GeoServer is vulnerable to an Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
Details

GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

Database specific 
{
    "cwe_ids": [
        "CWE-611"
    ]
}
References

Affected packages

Git / github.com/geoserver/geoserver

Affected ranges

Type
GIT
Repo
https://github.com/geoserver/geoserver
Events
Introduced
8f9b3e407de0b6a7d30fb9edf68ac6db0071b7bb
Fixed
dab1947ce0d1a46418ae690734be5ccc5252057b
Database specific 
{
    "versions": [
        {
            "introduced": "2.26.0"
        },
        {
            "fixed": "2.26.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/geoserver/geoserver
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e42a91e7e8900ad1b40a4486be4c588e4f848124
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.25.6"
        }
    ]
}