CVE-2025-58360

Name of the Vulnerable Software and Affected Versions GeoServer versions 2.26.0 through 2.26.1 and versions prior to 2.25.6

Description GeoServer is an open-source server used for sharing and editing geospatial data. A flaw exists in the way the software handles XML input received through the

/geoserver/wms

GetMap

operation. Insufficient sanitization of this input allows attackers to define external entities within XML requests, leading to an XML External Entity (XXE) condition. This can enable an attacker to read arbitrary files from the server's file system, conduct Server-Side Request Forgery (SSRF), or execute Denial of Service (DoS) attacks. Approximately 49.4k instances are reportedly exposed.

Recommendations Update to GeoServer version 2.25.6, 2.26.3, or 2.27.0.