CRITICAL9.8CVE-2024-36401⚠ KEVRemote Code Execution (RCE) vulnerability in geoserver >= 2.24.0, < 2.24.4
HIGH8.2CVE-2025-58360⚠ KEVGeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature >= 2.26.0, < 2.26.2
CRITICAL9.3GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)
from 0, < 2.25.0
HIGH8.2[XBOW-025-068] XML External Entity (XXE) Processing Vulnerability in GeoServer WFS Service
>= 2.27.0, < 2.27.1
HIGH7.5GeoServer Infinite Loop Vulnerability in Jiffle process
>= 2.26.0, < 2.26.3
HIGH7.5Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat
from 0, < 2.23.5
HIGH7.2GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page
>= 2.27.0, < 2.27.3
MEDIUM6.5GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution
from 0, < 2.26.4
MEDIUM6.1GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format
from 0, < 2.25.0
MEDIUM5.5Coverage REST API Server Side Request Forgery
from 0, < 2.26.0
MEDIUM5.3GeoServer Missing Authorization on REST API Index
>= 2.26.0, < 2.26.3
MEDIUM5.3GWC Home Page communicate version and revision information
>= 2.26.0, < 2.26.2
MEDIUM5.3Welcome and About GeoServer pages communicate version and revision information
>= 2.0.0, < 2.25.1
MEDIUM5.3Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF
from 0, < 2.22.5
MEDIUM4.5GeoServer's Server Status shows sensitive environmental variables and Java properties
>= 2.10.0, < 2.24.4