CVSS: 9.9EPSS: 8%CPEs: 3EXPL: 0CVE-2025-30220 – GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling
https://notcve.org/view.php?id=CVE-2025-30220
10 Jun 2025 — GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users o... • https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities • CWE-611: Improper Restriction of XML External Entity Reference CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30145 – GeoServer has an Infinite Loop Vulnerability in Jiffle process
https://notcve.org/view.php?id=CVE-2025-30145
10 Jun 2025 — GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process. • https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.3EPSS: 1%CPEs: 2EXPL: 0CVE-2025-27505 – GeoServer Missing Authorization on REST API Index
https://notcve.org/view.php?id=CVE-2025-27505
10 Jun 2025 — GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. This vulnerability is fixed in 2.26.3 and 2.25.6. • https://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5 • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40625 – GeoServer Coverage REST API Allows Server Side Request Forgery
https://notcve.org/view.php?id=CVE-2024-40625
10 Jun 2025 — GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no restrict. This vulnerability is fixed in 2.26.0. • https://github.com/geoserver/geoserver/security/advisories/GHSA-r4hf-r8gj-jgw2 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-38524 – GWC Home Page communicate version and revision information
https://notcve.org/view.php?id=CVE-2024-38524
10 Jun 2025 — GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6. • https://github.com/geoserver/geoserver/security/advisories/GHSA-jm79-7xhw-6f6f • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34711 – GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)
https://notcve.org/view.php?id=CVE-2024-34711
10 Jun 2025 — GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^? • https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 8%CPEs: 2EXPL: 0CVE-2024-29198 – GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
https://notcve.org/view.php?id=CVE-2024-29198
10 Jun 2025 — GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue. • https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35230 – Welcome and About GeoServer pages communicate version and revision information
https://notcve.org/view.php?id=CVE-2024-35230
16 Dec 2024 — GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. This issue has been patched in version 2.26.0 and all users are advised to upgrade. There are no known workarou... • https://github.com/geoserver/geoserver/commit/74fdab745a5deff20ac99abca24d8695fe1a52f8 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 94%CPEs: 6EXPL: 28CVE-2024-36401 – OSGeo GeoServer GeoTools Eval Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-36401
01 Jul 2024 — GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-j... • https://packetstorm.news/files/id/179547 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-34696 – GeoServer's Server Status shows sensitive environmental variables and Java properties
https://notcve.org/view.php?id=CVE-2024-34696
01 Jul 2024 — GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer contai... • https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •