What is the CVSS score of CVE-2026-45104?

CVE-2026-45104 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of MapServer are affected by CVE-2026-45104?

MapServer versions 6.4.0 through 8.6.2 contain a denial-of-service vulnerability allowing remote attackers to crash the server through a malformed WMS styling request.. A patch is available.

MapServer CVE-2026-45104

EUVD-2026-32631 HIGH

Improper Validation of Array Index (CWE-129)

2026-05-27 GitHub_M

Denial Of Service Mapserver

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch available

May 27, 2026 - 21:04 EUVD

Analysis Generated

May 27, 2026 - 20:36 vuln.today

DescriptionNVD

MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> - it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.

AnalysisAI

Denial of service in MapServer 6.4.0 through 8.6.2 allows remote unauthenticated attackers to crash the server by submitting a small well-formed SLD document via the WMS SLD_BODY= parameter. The flaw is a NULL pointer dereference reached when an SLD <Rule> carries <ElseFilter/> but defines no symbolizer, causing the styling code to index a class array at position -1. …

RemediationAI

Within 24 hours: identify and inventory all MapServer deployments and document versions in use. Within 7 days: upgrade all instances running versions 6.4.0-8.6.2 to MapServer 8.6.3 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-45104 vulnerability details – vuln.today

Back

MapServer CVE-2026-45104

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code