OSGeo GeoServer 2.27.0

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:osgeo:geoserver:2.27.0:*:*:*:*:*:*:*

part: a version: 2.27.0 update: *

VendorOsgeo (706646bf-cac0-5b16-9ff6-83d28fd0444b)
ProductGeoserver (5d4880e3-3502-5ab9-ac74-559fbda7dc5e)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from NVD CPE 2.0 feed

PURL mappings

PURLSourceLast updated
pkg:github/geoserver/geoserver purl2cpe 2026-06-01 10:12:16.031121
pkg:maven/org.geoserver/geoserver purl2cpe 2026-06-01 10:12:16.031122
pkg:rpm/opensuse/geoserver purl2cpe 2026-06-01 10:12:16.031124
pkg:sourceforge/geoserver purl2cpe 2026-06-01 10:12:16.031125

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-30220 vulnerable 2026-06-08 07:16:59.320090 GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling
CRITICAL (9.9)
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.
Published: 2025-06-10T15:16:39.339Z
Updated: 2025-06-10T17:13:09.180Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.