CVE-2026-30479
DLL Injection in OSGeo MapServer < v8.0 Enables Code Execution
Publication date: 2026-04-09
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osgeo | mapserver | to 8.0 (exc) |
| osgeo | mapserver | 7.7.0-dev |
| osgeo | mapserver | 7.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your MapServer installation is running a vulnerable version prior to 8.0 and by monitoring for suspicious requests to the mapserv.exe CGI with crafted mapfile parameters.
A specific command to test exploitation involves using curl to request the vulnerable mapserv.exe with a malicious mapfile parameter, for example:
- curl "http://your.mapserver.address/cgi-bin/mapserv.exe?map=CVE-2026-30479"
If this request triggers unexpected behavior such as loading external DLLs or executing unauthorized code, it indicates the presence of the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Dynamic-link Library Injection vulnerability in OSGeo Project MapServer affects compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade your MapServer installation to version 8.0 or later, where this DLL Injection vulnerability has been fixed.
Until an upgrade is possible, restrict access to the mapserv.exe CGI endpoint to trusted users only and monitor for suspicious requests that include the map parameter referencing external DLLs.
Additionally, review and harden your server configuration to prevent loading of untrusted mapfiles or plugins.
Can you explain this vulnerability to me?
CVE-2026-30479 is a Remote Code Execution (RCE) vulnerability in OSGeo Project MapServer versions prior to 8.0 caused by a Dynamic-link Library (DLL) Injection flaw.
The vulnerability affects the mapserv.exe component, specifically through the map parameter, which allows an unauthenticated attacker to load a malicious, attacker-controlled mapfile.
This malicious mapfile can specify a DLL to be injected and executed on the underlying system, enabling arbitrary code execution remotely.
The attack involves crafting a malicious mapfile referencing a DLL hosted on a remote attacker-controlled machine. When mapserv.exe processes this mapfile, it loads and executes the DLL, leading to remote code execution.
A fixed version of MapServer (version 8.0 and later) addresses this vulnerability.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to remotely execute arbitrary code on the system running the vulnerable MapServer versions prior to 8.0.
Successful exploitation could lead to full system compromise, unauthorized access, data theft, or disruption of services.
Because the attacker can execute code remotely without authentication, the risk of exploitation is significant, especially for publicly accessible MapServer installations.