Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2.
AnalysisAI
Reflected XSS in MapServer 6.0 through 8.6.1 allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript into the browsers of users clicking crafted WMS URLs. The vulnerability exists in the OpenLayers template when FORMAT=application/openlayers is combined with an unsanitized SRS parameter in WMS 1.3.0 requests. MapServer 8.6.2 patches this issue, and no public exploit code or active exploitation has been confirmed, though the attack requires user interaction (clicking a malicious link).
Technical ContextAI
MapServer is a geospatial data publishing platform that exposes WMS (Web Map Service) endpoints. The vulnerability originates in the OpenLayers template, which renders WMS responses. WMS 1.3.0 includes an SRS (Spatial Reference System) parameter that MapServer fails to sanitize before inserting it into HTML output when the FORMAT parameter is set to application/openlayers. This allows an attacker to break out of HTML context and inject arbitrary script tags or event handlers. The root cause is improper output encoding in a templating context (CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page). The affected CPE indicates all MapServer versions from 6.0 onward until the 8.6.2 release are vulnerable.
RemediationAI
Upgrade MapServer to version 8.6.2 or later immediately. Vendor-released patch: MapServer 8.6.2 (released with accompanying security advisory). No workarounds are documented for unsupported branches (7.6, 8.0, 8.2, 8.4). If upgrading is not immediately feasible, apply network-level mitigations: restrict WMS endpoint access via Web Application Firewall (WAF) rules to block FORMAT=application/openlayers requests with suspicious or non-standard SRS parameter values, or require authentication for WMS access (trade-off: may break public-facing map services). Alternatively, disable the OpenLayers template entirely if not required for your application. See vendor migration guide at https://mapserver.org/MIGRATION_GUIDE.html and changelog at https://mapserver.org/development/changelog/changelog-8-6.html#changelog-8-6.
Stack-based buffer overflow in MapServer before 6.0.6, 6.2.x before 6.2.4, 6.4.x before 6.4.5, and 7.0.x before 7.0.4 al
In MapServer before 7.0.3, OGR driver error messages are too verbose and may leak sensitive information if data connecti
Denial of service in MapServer 6.4.0 through 8.6.2 allows remote unauthenticated attackers to crash the server by submit
SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when
MapServer versions 4.2 through 8.6.0 are vulnerable to a heap buffer overflow in the SLD (Styled Layer Descriptor) parse
MapServer before 7.0.8, 7.1.x and 7.2.x before 7.2.3, 7.3.x and 7.4.x before 7.4.5, and 7.5.x and 7.6.x before 7.6.3 doe
MapServer is a system for developing web-based GIS applications. Rated high severity (CVSS 8.9), this vulnerability is r
Same weakness CWE-80 – Basic XSS
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28807