Osgeo Geoserver
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Osgeo Geoserver.
Known Exploited Osgeo Geoserver Vulnerabilities
The following Osgeo Geoserver vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability |
OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request. CVE-2025-58360 Exploit Probability: 87.2% |
December 11, 2025 |
| OSGeo GeoServer GeoTools Eval Injection Vulnerability |
OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unauthenticated attackers to conduct remote code execution via specially crafted input. CVE-2024-36401 Exploit Probability: 94.4% |
July 15, 2024 |
Of the known exploited vulnerabilities above, 2 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.
By the Year
In 2026 there have been 0 vulnerabilities in Osgeo Geoserver. Last year, in 2025 Geoserver had 2 security vulnerabilities published. Right now, Geoserver is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 2 | 8.20 |
| 2024 | 2 | 4.80 |
| 2023 | 3 | 8.30 |
| 2022 | 2 | 7.35 |
It may take a day or so for new Geoserver vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Osgeo Geoserver Security Vulnerabilities
GeoServer XXE via GetMap XML (2.26.02.26.1)
CVE-2025-58360
8.2 - High
- November 25, 2025
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.
XXE
GeoServer SSRF via Demo request endpoint – fixed in 2.24.4/2.25.2
CVE-2024-29198
- June 10, 2025
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.
SSRF
GeoServer GWC Demos XSS before 2.23.4 & 2.24.1
CVE-2024-23821
4.8 - Medium
- March 20, 2024
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another user's browser when viewed in the GWC Demos Page. Access to the GWC Demos Page is available to all users although data security may limit users' ability to trigger the XSS. Versions 2.23.4 and 2.24.1 contain a patch for this issue.
XSS
Stored XSS in GeoServer WMS OpenLayers Output 2.23.2 / 2.24.0
CVE-2024-23818
4.8 - Medium
- March 20, 2024
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.1 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog that will execute in the context of another user's browser when viewed in the WMS GetMap OpenLayers Output Format. Access to the WMS OpenLayers Format is available to all users by default although data and service security may limit users' ability to trigger the XSS. Versions 2.23.3 and 2.24.1 contain a patch for this issue.
XSS
GeoServer WMS URL SSRF (before 2.22.5/2.23.2)
CVE-2023-41339
5.3 - Medium
- October 25, 2023
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=<url>`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery. This vulnerability can be used to steal user NetNTLMv2 hashes which could be relayed or cracked externally to gain further access. This vulnerability has been patched in versions 2.22.5 and 2.23.2.
SSRF
GeoServer < 2.22.5 / 2.23.2: ServerSide Request Forgery via WPS GET/POST
CVE-2023-43795
9.8 - Critical
- October 25, 2023
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
SSRF
GeoServer 2.x CQL encode misuse (strEndsWith/strStartsWith)
CVE-2023-25157
9.8 - Critical
- February 21, 2023
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.
SQL Injection
GeoServer through 2.18.5 and 2.19.x through 2.19.2
CVE-2021-40822
7.5 - High
- May 02, 2022
GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.
SSRF
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data
CVE-2022-24847
7.2 - High
- April 13, 2022
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API. The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 1.19.6. Users unable to upgrade should restrict access to the `geoserver/web` and `geoserver/rest` via a firewall and ensure that the GeoWebCache is not remotely accessible.
EL Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Osgeo Geoserver or by Osgeo? Click the Watch button to subscribe.
