CVE-2026-30479
Received Received - Intake
DLL Injection in OSGeo MapServer < v8.0 Enables Code Execution

Publication date: 2026-04-09

Last updated on: 2026-04-14

Assigner: MITRE

Description
A Dynamic-link Library Injection vulnerability in OSGeo Project MapServer before v8.0 allows attackers to execute arbitrary code via a crafted executable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30479
EUVD
EUVD-2026-20932
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
osgeo mapserver to 8.0 (exc)
osgeo mapserver 7.7.0-dev
osgeo mapserver 7.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking if your MapServer installation is running a vulnerable version prior to 8.0 and by monitoring for suspicious requests to the mapserv.exe CGI with crafted mapfile parameters.

A specific command to test exploitation involves using curl to request the vulnerable mapserv.exe with a malicious mapfile parameter, for example:

  • curl "http://your.mapserver.address/cgi-bin/mapserv.exe?map=CVE-2026-30479"

If this request triggers unexpected behavior such as loading external DLLs or executing unauthorized code, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade your MapServer installation to version 8.0 or later, where this DLL Injection vulnerability has been fixed.

Until an upgrade is possible, restrict access to the mapserv.exe CGI endpoint to trusted users only and monitor for suspicious requests that include the map parameter referencing external DLLs.

Additionally, review and harden your server configuration to prevent loading of untrusted mapfiles or plugins.

Executive Summary

CVE-2026-30479 is a Remote Code Execution (RCE) vulnerability in OSGeo Project MapServer versions prior to 8.0 caused by a Dynamic-link Library (DLL) Injection flaw.

The vulnerability affects the mapserv.exe component, specifically through the map parameter, which allows an unauthenticated attacker to load a malicious, attacker-controlled mapfile.

This malicious mapfile can specify a DLL to be injected and executed on the underlying system, enabling arbitrary code execution remotely.

The attack involves crafting a malicious mapfile referencing a DLL hosted on a remote attacker-controlled machine. When mapserv.exe processes this mapfile, it loads and executes the DLL, leading to remote code execution.

A fixed version of MapServer (version 8.0 and later) addresses this vulnerability.

Impact Analysis

This vulnerability allows an unauthenticated attacker to remotely execute arbitrary code on the system running the vulnerable MapServer versions prior to 8.0.

Successful exploitation could lead to full system compromise, unauthorized access, data theft, or disruption of services.

Because the attacker can execute code remotely without authentication, the risk of exploitation is significant, especially for publicly accessible MapServer installations.

Compliance Impact

The provided information does not specify how the Dynamic-link Library Injection vulnerability in OSGeo Project MapServer affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30479. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart