GeoServer OGC Filter - SQL Injection

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language CQL as part of the Web Feature Service WFS and Web Map Service WMS protocols. CQL is...

CVE-2025-57870

A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can...

CVE-2025-57870

A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can...

EUVD-2025-35576

A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can...

PT-2025-43271

Name of the Vulnerable Software and Affected Versions Esri ArcGIS Server versions 11.3 through 11.5 Description A SQL Injection issue exists in Esri ArcGIS Server. This allows a remote, unauthenticated attacker to execute arbitrary SQL commands through a specific ArcGIS Feature Service operation...

Exploit for Code Injection in Geoserver

CVE-2024-36401 GeoServer Exploit Tool Vulnerability Descri...

EUVD-2022-51939

Malicious code in bioql PyPI...

EUVD-2025-17683

Malicious code in bioql PyPI...

CVE-2025-59431

MapServer prior to 8.4.1 is affected by a vulnerability in the XML Filter Query directive PropertyName that can be exploited via Boolean-based SQL injection by injecting double quote characters into PropertyName, enabling manipulation of backend database queries. The issue is fixed in MapServer 8...

CVE-2025-59431 MapServer - WFS XML Filter Query SQL injection

MapServer is a system for developing web-based GIS applications. Prior to 8.4.1, the XML Filter Query directive PropertyName is vulnerably to Boolean-based SQL injection. It seems like expression checking is bypassed by introducing double quote characters in the PropertyName. Allowing to manipula...

CISA Warns of Actively Exploited RCE Flaw in GeoServer GeoTools Software

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Monday added a critical security flaw impacting OSGeo GeoServer GeoTools to its Known Exploited Vulnerabilities KEV catalog, based on evidence of active exploitation. GeoServer is an open-source software server written in Java that...

GeoServer OGC Filter SQL Injection Vulnerabilities

Impact GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language CQL as part of the Web Feature Service WFS and Web Map Service WMS protocols. CQL is also supported through the Web Coverage Service WCS protocol for ImageMosaic coverages. SQL Injection...

CVE-2023-25157

CVE-2023-25157 (GeoServer SQL Injection) is triggered by flaws in OGC Filter handling within GeoServer’s WFS/WMS/WCS inputs, enabling SQL injection via filters such as PropertyIsLike, strEndsWith, strStartsWith, jsonArrayContains, and FeatureId under certain datastore conditions. Public details c...

CVE-2022-4607

A vulnerability was found in 3D City Database OGC Web Feature Service up to 5.2.0. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to xml external entity reference. Upgrading to version 5.2.1 is able to address this issue. The name of the patch...

CVE-2022-4607

A vulnerability was found in 3D City Database OGC Web Feature Service up to 5.2.0. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to xml external entity reference. Upgrading to version 5.2.1 is able to address this issue. The name of the patch...

CVE-2022-4607

A vulnerability was found in 3D City Database OGC Web Feature Service up to 5.2.0. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to xml external entity reference. Upgrading to version 5.2.1 is able to address this issue. The name of the patch...

Xxe

A vulnerability was found in 3D City Database OGC Web Feature Service up to 5.2.0. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to xml external entity reference. Upgrading to version 5.2.1 is able to address this issue. The name of the patch...

3DCityDB Web Feature Service Interface 代码问题漏洞

3DCityDB Web Feature Service Interface is an open source city database WFS interface library for 3D City Database. 3DCityDB Web Feature Service Interface before 5.3.0 version of the code problematic vulnerability , the vulnerability stems from some unknown processing problems , which will lead to...

CVE-2022-4607 3D City Database OGC Web Feature Service xml external entity reference

A vulnerability was found in 3D City Database OGC Web Feature Service up to 5.2.0. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to xml external entity reference. Upgrading to version 5.2.1 is able to address this issue. The name of the patch...

CVE-2022-4607

The CVE-2022-4607 issue affects 3D City Database OGC Web Feature Service (WFS) up to version 5.2.0. The root cause is an XML External Entity (XXE) reference introduced during processing, enabling potentially sensitive data exposure or other impact as described. A fix is available: upgrade to vers...