CVE-2026-42030
Reflected XSS in MapServer WMS Server
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mapserver | mapserver | From 6.0 (inc) to 8.6.2 (exc) |
| mapserver | mapserver | 8.6.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected Cross-Site Scripting (XSS) issue in MapServer's WMS server versions from 6.0 up to before 8.6.2. It allows an unauthenticated attacker to inject arbitrary HTML or JavaScript code into the browser of any user who opens a specially crafted WMS URL. The attack exploits the FORMAT=application/openlayers parameter combined with an unsanitized SRS parameter in WMS 1.3.0 requests.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to execute malicious scripts in their browsers when they access a crafted WMS URL. This can lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected web application.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in MapServer version 8.6.2. The immediate step to mitigate this vulnerability is to upgrade your MapServer installation to version 8.6.2 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthenticated attacker to inject arbitrary HTML or JavaScript into the browser of users who open a crafted WMS URL, potentially leading to reflected Cross-Site Scripting (XSS) attacks.
Such XSS vulnerabilities can lead to unauthorized script execution in users' browsers, which may result in exposure or compromise of sensitive information.
This kind of security flaw could impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access or disclosure.
However, the CVE description and resources do not explicitly mention compliance implications or specific regulatory impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring or testing for WMS 1.3.0 requests that include the parameter FORMAT=application/openlayers combined with an unsanitized SRS parameter. Specifically, you can look for HTTP requests to the MapServer WMS endpoint that contain these parameters and check if the SRS parameter is reflected unsanitized in the response.
A practical approach is to capture network traffic or use tools like curl or wget to send crafted WMS requests and observe the responses for reflected script or HTML content.
- Use curl to send a test request: curl -v "http://<mapserver-host>/wms?SERVICE=WMS&VERSION=1.3.0&REQUEST=GetMap&FORMAT=application/openlayers&SRS=<test_payload>"
- Replace <test_payload> with a string containing HTML or JavaScript code (e.g., <script>alert(1)</script>) to check if it is reflected unsanitized in the response.
- Analyze the HTTP response body for the presence of the injected script or HTML tags.
If the injected code appears in the response without proper escaping, the system is vulnerable.