cbcvebase.
CVE-2026-33721
published 2026-03-27

CVE-2026-33721: MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in…

PriorityP350high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.86%
54.1th percentile
MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianmapserver< mapserver 8.6.1-1 (forky)mapserver 8.6.1-1 (forky)
mapservermapserver
osgeomapserver>= 0 < 8.6.1-18.6.1-1
osgeomapserver>= 4.2.0 < 8.6.18.6.1

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.