Vulnerability Details CVE-2026-42030
MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 4.1%
CVSS Severity
CVSS v3 Score 6.1
References
Products affected by CVE-2026-42030
-
cpe:2.3:a:osgeo:mapserver:6.0.0
-
cpe:2.3:a:osgeo:mapserver:6.0.1
-
cpe:2.3:a:osgeo:mapserver:6.0.2
-
cpe:2.3:a:osgeo:mapserver:6.0.3
-
cpe:2.3:a:osgeo:mapserver:6.0.4
-
cpe:2.3:a:osgeo:mapserver:6.0.5
-
cpe:2.3:a:osgeo:mapserver:6.0.6
-
cpe:2.3:a:osgeo:mapserver:6.2.0
-
cpe:2.3:a:osgeo:mapserver:6.2.1
-
cpe:2.3:a:osgeo:mapserver:6.2.2
-
cpe:2.3:a:osgeo:mapserver:6.2.3
-
cpe:2.3:a:osgeo:mapserver:6.2.4
-
cpe:2.3:a:osgeo:mapserver:6.4.0
-
cpe:2.3:a:osgeo:mapserver:6.4.1
-
cpe:2.3:a:osgeo:mapserver:6.4.2
-
cpe:2.3:a:osgeo:mapserver:6.4.3
-
cpe:2.3:a:osgeo:mapserver:6.4.4
-
cpe:2.3:a:osgeo:mapserver:6.4.5
-
cpe:2.3:a:osgeo:mapserver:6.4.6
-
cpe:2.3:a:osgeo:mapserver:7.0.0
-
cpe:2.3:a:osgeo:mapserver:7.0.1
-
cpe:2.3:a:osgeo:mapserver:7.0.2
-
cpe:2.3:a:osgeo:mapserver:7.0.3
-
cpe:2.3:a:osgeo:mapserver:7.0.4
-
cpe:2.3:a:osgeo:mapserver:7.0.5
-
cpe:2.3:a:osgeo:mapserver:7.0.6
-
cpe:2.3:a:osgeo:mapserver:7.0.7
-
cpe:2.3:a:osgeo:mapserver:7.0.8
-
cpe:2.3:a:osgeo:mapserver:7.1.0
-
cpe:2.3:a:osgeo:mapserver:7.2.0
-
cpe:2.3:a:osgeo:mapserver:7.2.1
-
cpe:2.3:a:osgeo:mapserver:7.2.2
-
cpe:2.3:a:osgeo:mapserver:7.2.3
-
cpe:2.3:a:osgeo:mapserver:7.3.0
-
cpe:2.3:a:osgeo:mapserver:7.4.0
-
cpe:2.3:a:osgeo:mapserver:7.4.1
-
cpe:2.3:a:osgeo:mapserver:7.4.2
-
cpe:2.3:a:osgeo:mapserver:7.4.3
-
cpe:2.3:a:osgeo:mapserver:7.4.4
-
cpe:2.3:a:osgeo:mapserver:7.4.5
-
cpe:2.3:a:osgeo:mapserver:7.5.0
-
cpe:2.3:a:osgeo:mapserver:7.6.0
-
cpe:2.3:a:osgeo:mapserver:7.6.1
-
cpe:2.3:a:osgeo:mapserver:7.6.2
-
cpe:2.3:a:osgeo:mapserver:7.6.3
-
cpe:2.3:a:osgeo:mapserver:7.6.4
-
cpe:2.3:a:osgeo:mapserver:7.6.5
-
cpe:2.3:a:osgeo:mapserver:7.6.6
-
cpe:2.3:a:osgeo:mapserver:7.6.7
-
cpe:2.3:a:osgeo:mapserver:8.0.0
-
cpe:2.3:a:osgeo:mapserver:8.0.1
-
cpe:2.3:a:osgeo:mapserver:8.0.2
-
cpe:2.3:a:osgeo:mapserver:8.2.0
-
cpe:2.3:a:osgeo:mapserver:8.2.1
-
cpe:2.3:a:osgeo:mapserver:8.2.2
-
cpe:2.3:a:osgeo:mapserver:8.4.0
-
cpe:2.3:a:osgeo:mapserver:8.4.1
-
cpe:2.3:a:osgeo:mapserver:8.6.0
-
cpe:2.3:a:osgeo:mapserver:8.6.1