Main Vulnerability Database SB2026050563

SB2026050563 - XML External Entity injection in geoserver

Published: May 5, 2026

Security Bulletin ID SB2026050563

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) XML External Entity injection (CVE-ID: CVE-2024-34711)

The vulnerability allows a remote attacker to perform server-side request forgery and disclose limited information.

The vulnerability exists due to improper restriction of xml external entity reference in PreventLocalEntityResolver when processing XML entities with crafted external schema URIs. A remote attacker can send a specially crafted XML document to perform server-side request forgery and disclose limited information.

The issue can be abused to send GET requests to arbitrary HTTP servers, scan internal networks, and read limited .xsd files on the system.

Remediation

Install update from vendor's website.

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965