CVE-2025-58360

Name of the Vulnerable Software and Affected Versions GeoServer versions 2.26.0 through 2.26.1 and versions prior to 2.25.6

Description GeoServer is an open-source server used for sharing and editing geospatial data. A vulnerability exists due to improper restriction of XML external entity references in the WMS GetMap operation. This allows attackers to define external entities within XML requests, potentially leading to unauthorized access to files, Server-Side Request Forgery (SSRF), and denial-of-service conditions. The vulnerability is actively exploited and affects systems with the /geoserver/wms endpoint exposed. Approximately 20,000+ public network exposed assets are affected. The vulnerability allows an attacker to read arbitrary files from the server and potentially enable denial-of-service conditions or internal system access. The vulnerability is exploitable without authentication.

Recommendations Update to GeoServer version 2.25.6, 2.26.3, or 2.27.0.