CVE-2026-33721

Name of the Vulnerable Software and Affected Versions MapServer versions 4.2 through 8.6.0

Description MapServer is a system for developing web-based GIS applications. A heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser allows a remote, unauthenticated attacker to crash the MapServer process. This occurs by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure, commonly reachable via WMS GetMap with the SLD BODY parameter. The vulnerable component is the SLD parser.

Recommendations Update to MapServer version 8.6.1 or later.