Skip to main content

MapServer CVE-2026-42030

| EUVDEUVD-2026-28807 MEDIUM
Basic XSS (CWE-80)
2026-05-08 GitHub_M
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
May 08, 2026 - 18:03 EUVD
Source Code Evidence Fetched
May 08, 2026 - 17:01 vuln.today
Analysis Generated
May 08, 2026 - 17:01 vuln.today
CVE Published
May 08, 2026 - 15:56 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2.

AnalysisAI

Reflected XSS in MapServer 6.0 through 8.6.1 allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript into the browsers of users clicking crafted WMS URLs. The vulnerability exists in the OpenLayers template when FORMAT=application/openlayers is combined with an unsanitized SRS parameter in WMS 1.3.0 requests. MapServer 8.6.2 patches this issue, and no public exploit code or active exploitation has been confirmed, though the attack requires user interaction (clicking a malicious link).

Technical ContextAI

MapServer is a geospatial data publishing platform that exposes WMS (Web Map Service) endpoints. The vulnerability originates in the OpenLayers template, which renders WMS responses. WMS 1.3.0 includes an SRS (Spatial Reference System) parameter that MapServer fails to sanitize before inserting it into HTML output when the FORMAT parameter is set to application/openlayers. This allows an attacker to break out of HTML context and inject arbitrary script tags or event handlers. The root cause is improper output encoding in a templating context (CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page). The affected CPE indicates all MapServer versions from 6.0 onward until the 8.6.2 release are vulnerable.

RemediationAI

Upgrade MapServer to version 8.6.2 or later immediately. Vendor-released patch: MapServer 8.6.2 (released with accompanying security advisory). No workarounds are documented for unsupported branches (7.6, 8.0, 8.2, 8.4). If upgrading is not immediately feasible, apply network-level mitigations: restrict WMS endpoint access via Web Application Firewall (WAF) rules to block FORMAT=application/openlayers requests with suspicious or non-standard SRS parameter values, or require authentication for WMS access (trade-off: may break public-facing map services). Alternatively, disable the OpenLayers template entirely if not required for your application. See vendor migration guide at https://mapserver.org/MIGRATION_GUIDE.html and changelog at https://mapserver.org/development/changelog/changelog-8-6.html#changelog-8-6.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-42030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy