CVE-2024-36401CISA KEVEPSS p100.0%

CVE-2024-36401OSGeo GeoServer GeoTools Eval Injection Vulnerability

OSGeo / GeoServer

Description

OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unauthenticated attackers to conduct remote code execution via specially crafted input.

Scoring

EPSS99.81% probability of exploitation · percentile 100.0% · 2026-06-15T12:03:41Z

CISA KEV entry

Added to KEV: 2024-07-15

(incoming)1

TypeTargetConfidenceTier
KEVEntryOSGeo GeoServer GeoTools Eval Injection Vulnerabilitykev-cve-2024-364010%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability
CVE
OSGeo GeoServer JAI-EXT Code Injection Vulnerability
CVE
CVE-2026-30479
CVE
CVE-2025-30220
CVE
XWiki Platform Eval Injection Vulnerability
CVE
CVE-2025-59431
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.