Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-58360

GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

Published

2025-11-25T21:15:56.363

Last Modified

2025-12-12T13:54:01.187

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.2 (HIGH)

Weaknesses

Type: Secondary
CWE-611

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	geoserver	geoserver	< 2.25.6	Yes
Application	geoserver	geoserver	< 2.26.2	Yes

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525 Vendor Advisory ([email protected])
https://osgeo-org.atlassian.net/browse/GEOS-11682 Issue Tracking ([email protected])
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360 US Government Resource (134c704f-9b21-4f2e-91b3-4a467353bcc0)