Description
MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2.
Published: 2026-05-08
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MapServer versions 6.0 up to (but not including) 8.6.2 contain a reflected XSS flaw that enables an unauthenticated attacker to inject arbitrary HTML or JavaScript into the browser of any user who opens a crafted WMS URL. The flaw is triggered when the request uses FORMAT=application/openlayers in conjunction with an unsanitized SRS parameter in a WMS 1.3.0 request. This weakness falls under CWE‑80 and can allow a malicious actor to hijack sessions, deface content, or exfiltrate data from the victim’s browser.

Affected Systems

The affected product is MapServer, specifically all releases from 6.0 up through 8.6.1. Version 8.6.2 and later contain the fix and are not vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, while no EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. Because the attack requires only that a user visits a crafted URL, the likelihood of exploitation remains significant for exposed WMS services that still allow the problematic FORMAT parameter and accept unauthenticated requests. Operators can mitigate risk by disabling or sanitizing the openlayers format or by restricting access to trusted networks.

Generated by OpenCVE AI on May 8, 2026 at 19:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MapServer to version 8.6.2 or later
  • Disable the FORMAT=application/openlayers parameter in WMS requests to prevent injection
  • Restrict the WMS service to trusted networks or require authentication for access

Generated by OpenCVE AI on May 8, 2026 at 19:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2.
Title MapServer: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in OpenLayers viewer
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T15:56:48.553Z

Reserved: 2026-04-23T16:05:01.708Z

Link: CVE-2026-42030

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T17:16:31.307

Modified: 2026-05-08T17:16:31.307

Link: CVE-2026-42030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T19:15:14Z

Weaknesses