CVE-2025-58360

HIGH
2025-11-25 [email protected]
8.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 28, 2026 - 19:23 vuln.today
Added to CISA KEV
Dec 12, 2025 - 13:54 cisa
CISA KEV
CVE Published
Nov 25, 2025 - 21:15 nvd
HIGH 8.2

Tags

XXE Geoserver

Description

GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

Analysis

GeoServer contains an XXE vulnerability in the WMS GetMap operation allowing unauthenticated attackers to read server files and perform SSRF attacks.

Technical Context

The CWE-611 XXE in the GetMap operation's XML processing allows injecting external entities that read local files or make server-side requests to internal services.

Affected Products

['GeoServer 2.26.0 before 2.26.2', 'GeoServer before 2.25.6']

Remediation

Update GeoServer. Disable external entity processing in XML parsers.

Priority Score

91
Low Medium High Critical
KEV: +50
EPSS: +86.0
CVSS: +41
POC: 0

Share

CVE-2025-58360 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy