CVE-2026-42351

Description

### Impact A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with `..` values, along with a resource of type `stac-collection` defined in configuration. ### Patches The issue has been patched in master branch and made available as part of the 0.23.3 release. The commit/fix can be found in [bf25b8695edbdd5476eeffc102b633d1d3e45f52](https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52). ### Workarounds Users can safeguard existing applications by disabling STAC collection based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.

How to fix CVE-2026-42351

To remediate CVE-2026-42351, upgrade the affected package to a fixed version below.

• —upgrade to 0.23.3 or later

Is CVE-2026-42351 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 0.23.0, < 0.23.3

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-42351
• PATCHgithub.com/geopython/pygeoapi
• WEBgithub.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52
• WEBgithub.com/geopython/pygeoapi/releases/tag/0.23.3