pkg:Maven/org.geoserver.web:gs-web-app

All known vulnerabilities

• CRITICAL9.8CVE-2024-36401⚠ KEVRemote Code Execution (RCE) vulnerability in geoserver
  >= 2.24.0, < 2.24.4
• HIGH8.2CVE-2025-58360⚠ KEVGeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
  >= 2.26.0, < 2.26.2
• CRITICAL9.3CVE-2024-34711GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)
  from 0, < 2.25.0
• HIGH8.2CVE-2025-30220GeoTools has XML External Entity (XXE) Processing Vulnerability in XSD schema handling
  >= 2.27.0, < 2.27.1
• HIGH7.5CVE-2025-30145GeoServer Infinite Loop Vulnerability in Jiffle process
  >= 2.26.0, < 2.26.3
• HIGH7.5CVE-2024-24749Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat
  from 0, < 2.23.5
• MEDIUM6.1CVE-2025-21621GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format
  from 0, < 2.25.0
• MEDIUM5.5CVE-2024-40625Coverage REST API Server Side Request Forgery
  from 0, < 2.26.0
• MEDIUM5.3CVE-2025-27505GeoServer Missing Authorization on REST API Index
  >= 2.26.0, < 2.26.3
• MEDIUM5.3CVE-2024-38524GWC Home Page communicate version and revision information
  >= 2.26.0, < 2.26.2
• MEDIUM5.3CVE-2024-35230Welcome and About GeoServer pages communicate version and revision information
  >= 2.0.0, < 2.25.1
• MEDIUM5.3CVE-2023-41339Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF
  from 0, < 2.22.5
• MEDIUM4.5CVE-2024-34696GeoServer's Server Status shows sensitive environmental variables and Java properties
  >= 2.10.0, < 2.24.4