Osgeo Mapserver vulnerabilities
26 known vulnerabilities affecting osgeo/mapserver.
Total CVEs
26
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL9HIGH10MEDIUM6LOW1
Vulnerabilities
Page 2 of 2
CVE-2007-4629P4HIGHCVSS 7.5≥ 0, < 4.10.3-12007-08-31
CVE-2007-4629 [HIGH] CVE-2007-4629: Buffer overflow in the processLine function in maptemplate
Buffer overflow in the processLine function in maptemplate.c in MapServer before 4.10.3 allows attackers to cause a denial of service and possibly execute arbitrary code via a mapfile with a long layer name, group name, or metadata entry name.
osv
CVE-2026-42030P4MEDIUMCVSS 6.1≥ 6.0.0, < 8.6.22026-05-08
CVE-2026-42030 [MEDIUM] CWE-80 CVE-2026-42030: MapServer is a system for developing web-based GIS applications. From version 6.0 to before version
MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlay
nvd
CVE-2021-32062P4MEDIUMCVSS 5.3fixed in 7.0.8≥ 7.1.0, < 7.2.3+2 more2021-05-06
CVE-2021-32062 [MEDIUM] CWE-22 CVE-2021-32062: MapServer before 7.0.8, 7.1.x and 7.2.x before 7.2.3, 7.3.x and 7.4.x before 7.4.5, and 7.5.x and 7.
MapServer before 7.0.8, 7.1.x and 7.2.x before 7.2.3, 7.3.x and 7.4.x before 7.4.5, and 7.5.x and 7.6.x before 7.6.3 does not properly enforce the MS_MAP_NO_PATH and MS_MAP_PATTERN restrictions that are intended to control the locations from which a mapfile may be loaded (with MapServer CGI).
nvdosv
CVE-2009-0842P4MEDIUMCVSS 4.3v4.2.0v4.4.0+9 more2009-03-31
CVE-2009-0842 [MEDIUM] CWE-200 CVE-2009-0842: mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to read arbitrar
mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to read arbitrary invalid .map files via a full pathname in the map parameter, which triggers the display of partial file contents within an error message, as demonstrated by a /tmp/sekrut.map symlink.
nvdosv
CVE-2007-4542P4MEDIUMCVSS 4.3≥ 0, < 4.10.3-12007-08-27
CVE-2007-4542 [MEDIUM] CVE-2007-4542: Multiple cross-site scripting (XSS) vulnerabilities in MapServer before 4
Multiple cross-site scripting (XSS) vulnerabilities in MapServer before 4.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the (1) processLine function in maptemplate.c and the (2) writeError function in mapserv.c in the mapserv CGI program.
osv
CVE-2010-2539P4LOWCVSS 2.1≤ 4.10.5v4.2.0+17 more2010-08-02
CVE-2010-2539 [LOW] CWE-119 CVE-2010-2539: Buffer overflow in the msTmpFile function in maputil.c in mapserv in MapServer before 4.10.6 and 5.x
Buffer overflow in the msTmpFile function in maputil.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 allows local users to cause a denial of service via vectors involving names of temporary files.
nvdosv
← Previous2 / 2