Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72
Issue Tracking x_refsource_misc
https://github.com/geoserver/geoserver/pull/7406
Patch x_refsource_misc
https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d
Issue Tracking x_refsource_misc
https://osgeo-org.atlassian.net/browse/GEOS-11297
Scores
CVSS v3
6.1
EPSS
0.0003
EPSS Percentile
7.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
geoserver/geoserver
< 2.25.0
org.geoserver/gs-wms
0 - 2.25.0Maven
org.geoserver.web/gs-web-app
0 - 2.25.0Maven
Published
Nov 25, 2025
Tracked Since
Feb 18, 2026