CVE-2025-58360CRITICAL 9.8CISA KEVEPSS p99.2%

CVE-2025-58360OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability

OSGeo / GeoServer

Description

OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS66.75% probability of exploitation · percentile 99.2% · 2026-06-19T12:03:05Z
Published2025-11-25
Last modified2025-12-12

CISA KEV entry

Added to KEV: 2025-12-11

Underlying weaknesses· 1

CWE-611

References

  1. https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525
  2. https://osgeo-org.atlassian.net/browse/GEOS-11682
  3. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360

1

TypeTargetConfidenceTier
WeaknessImproper Restriction of XML External Entity Referencecwe-6110%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryOSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerabilitykev-cve-2025-583600%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-30220
CVE
OSGeo GeoServer GeoTools Eval Injection Vulnerability
CVE
CVE-2025-10713
CVE
CVE-2025-48006
CVE
CVE-2026-8045
CVE
CVE-2025-2905
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.