CVE-2026-42351

Source
https://cve.org/CVERecord?id=CVE-2026-42351
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42351.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42351
Aliases
Published
2026-05-08T22:31:18.001Z
Modified
2026-07-08T08:09:59.149329760Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
pygeoapi: Path Traversal in STAC FileSystemProvider
Details

pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration. This issue has been patched in version 0.23.3.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42351.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/geopython/pygeoapi

Affected ranges

Type
GIT
Repo
https://github.com/geopython/pygeoapi
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0.23.0"
        },
        {
            "fixed": "0.23.3"
        }
    ]
}

Affected versions

0.*
0.23.0
0.23.1
0.23.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42351.json"