CVE-2025-58360

Name of the Vulnerable Software and Affected Versions: GeoServer versions 2.26.0 through 2.26.1 and versions prior to 2.25.6

Description: GeoServer is an open-source server for sharing and editing geospatial data. A vulnerability exists due to improper restriction of XML external entity references in the WMS GetMap operation. This allows attackers to define external entities within XML requests, potentially leading to arbitrary file reading, Server-Side Request Forgery (SSRF), and denial-of-service conditions. The vulnerability is actively exploited and has been added to the CISA KEV catalog. The /geoserver/wms endpoint is susceptible to this attack, requiring no authentication. Approximately 20,000+ public network exposed assets are estimated to be affected.

Recommendations: Update to GeoServer version 2.25.6, 2.26.3, or 2.27.0.