CVE-2025-52465
published 2026-06-18CVE-2025-52465: GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a vulnerability exists that allows…
PriorityP349high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.35%
27.2th percentile
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to the target file, the target file can not already exist and all parent directories must already exist. Versions 2.26.4 and 2.27.3 contain a fix. GeoServer installations where the web interface is either disabled or completely removed are not affected since the vulnerability exists in one of the web pages.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geoserver | org.geoserver.web_gs-web-app | < 2.26.4 | 2.26.4 |
| geoserver | org.geoserver.web_gs-web-app | — | — |
| geoserver | org.geoserver.web_gs-web-sec-core | < 2.26.4 | 2.26.4 |
| geoserver | org.geoserver.web_gs-web-sec-core | — | — |
| osgeo | geoserver | < 2.26.4 | 2.26.4 |
| osgeo | geoserver | >= 2.27.0 < 2.27.3 | 2.27.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
geoserver org.geoserver.web:gs-web-app up to 2.26.3/2.27.2 Web Interface file inclusion (GHSA-7qmg-grcp-qf25)
vuldb·2026-06-18
CVE-2025-52465 [LOW] geoserver org.geoserver.web:gs-web-app up to 2.26.3/2.27.2 Web Interface file inclusion (GHSA-7qmg-grcp-qf25)
A vulnerability, which was classified as problematic, was found in geoserver org.geoserver.web:gs-web-app and org.geoserver.web:gs-web-sec-core up to 2.26.3/2.27.2. Impacted is an unknown function of the component Web Interface. The manipulation results in file inclusion.
This vulnerability is cataloged as CVE-2025-52465. The attack may be launched remotely. Furthermore, there is an exploit available.
You should upgrade the affected component.
GHSA
GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page
ghsa·2026-06-12
CVE-2025-52465 [HIGH] CWE-73 GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page
GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page
### Summary
A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to the target file, the target file can not already exist and all parent directories must already exist.
### Details
When dumping the master password, GeoServer will use the provided file name with minimal validation as long as it is a java.io.File path. The only limitation is that the fix for a previous, unrelated vulnerability prevents relative path traversal here but absolute paths can be used to access arbitr
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-18
Published