21 matches found
CVE-2026-42351
pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories...
CVE-2026-42352
pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3...
CVE-2026-42352
pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3...
CVE-2026-42351
pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories...
CVE-2026-42352
pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3...
CVE-2026-42352
pygeoapi is vulnerable to SSRF via the OGC API - Process execution path in versions 0.23.0 up to 0.23.3. The issue arises from the subscriber object enabling requests to internal HTTP services. It has been patched in version 0.23.3. Affected releases include 0.23.0–0.23.2, with fixes in 0.23.3. M...
CVE-2026-42352 pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber
pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3...
CVE-2026-42352 pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber
pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3...
CVE-2026-42351 pygeoapi: Path Traversal in STAC FileSystemProvider
pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories...
CVE-2026-42351
pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories...
CVE-2026-42351
CVE-2026-42351 affects pygeoapi prior to 0.23.3. A raw string path concatenation vulnerability in the STAC FileSystemProvider can allow requests to STAC collection based resources to expose directories without authentication, when deployed without URL-normalizing proxies and with a stac-collectio...
CVE-2026-42351 pygeoapi: Path Traversal in STAC FileSystemProvider
pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories...
pygeoapi 代码问题漏洞
pygeoapi is a geospatial data API server developed by geopython. In versions 0.23.0 to 0.23.3 of pygeoapi, there were code-related vulnerabilities. These vulnerabilities stemmed from the OGC API process’s ability to use subscriber objects to access internal HTTP services during requests...
pygeoapi 路径遍历漏洞
pygeoapi is a geospatial data API server developed by Geopython. In versions 0.23.0 to 0.23.3 of pygeoapi, there was a path traversal vulnerability. This vulnerability originated from a raw string concatenation vulnerability in the STAC FileSystemProvider plugin, which could lead to the exposure ...
GHSA-JGVC-94C8-3CHC pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber
Impact OGC API - Process execution requests can use the subscriber object to requests to internal HTTP services. Patches The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default unless...
Server-side Request Forgery (SSRF)
Overview pygeoapi is a pygeoapi provides an API to geospatial data Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the subscriber process. An attacker can access internal HTTP services by submitting specially crafted OGC API - Process execution requests th...
GHSA-F6PR-83PG-GHH6 pygeoapi 0.23.x: Path Traversal in STAC FileSystemProvider
Impact A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would...
Directory Traversal
Overview pygeoapi is a pygeoapi provides an API to geospatial data Affected versions of this package are vulnerable to Directory Traversal via the STAC FileSystemProvider process. An attacker can access sensitive directories and files by sending crafted requests containing directory traversal...
pygeoapi 0.23.x: Path Traversal in STAC FileSystemProvider
Impact A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would...
PT-2026-36112
Name of the Vulnerable Software and Affected Versions pygeoapi versions 0.23.0 through 0.23.2 Description OGC API process execution requests can utilize the subscriber object to make requests to internal HTTP services. This allows for unauthorized interaction with internal network resources...