GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint

Impact GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity XXE vulnerability during schema validation. This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files Patches...

GHSA-2P76-GC46-5FVC GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint

Impact GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity XXE vulnerability during schema validation. This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files Patches...

GeoServer Missing Authorization on REST API Index

Summary It is possible to bypass the default REST API security and access the index page. Details The REST API security handles rest and its subpaths but not rest with an extension e.g., rest.html. Impact The REST API index can disclose whether certain extensions are installed. Workaround In...

GHSA-H86G-X8MM-78M5 GeoServer Missing Authorization on REST API Index

Summary It is possible to bypass the default REST API security and access the index page. Details The REST API security handles rest and its subpaths but not rest with an extension e.g., rest.html. Impact The REST API index can disclose whether certain extensions are installed. Workaround In...

CVE-2025-27505

GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension e.g., rest.html. The REST API index can...

CVE-2025-27505 GeoServer Missing Authorization on REST API Index

GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension e.g., rest.html. The REST API index can...

CVE-2025-27505 GeoServer Missing Authorization on REST API Index

GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension e.g., rest.html. The REST API index can...

CVE-2025-27505

GeoServer contains a REST API index authorization bypass vulnerability (CVE-2025-27505). The REST security excludes paths with extensions (for example rest.html), allowing unauthenticated access to the REST API Index and potentially revealing installed extensions and API endpoints. Affected codep...

CVE-2024-40625

GeoServer's CVE-2024-40625 affects the Coverage REST API endpoint /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} where {method} = 'url' can upload arbitrary URLs without validation, enabling Server Side Request Forgery. The issue is tied to unfiltered file URL input and ...

CVE-2024-40625 GeoServer Coverage REST API Allows Server Side Request Forgery

GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/workspaceName/coveragestores/storeName/method.format allows attackers to upload files with a specified url with method equals 'url' with no restrict. This vulnerability is fix...

Coverage REST API Server Side Request Forgery

Summary The Coverage rest api /workspaces/workspaceName/coveragestores/storeName/method.format allow to upload file with a specified url with method equals 'url' with no restrict. Details The Coverage rest api /workspaces/workspaceName/coveragestores/storeName/method.format allow to upload file...

GHSA-R4HF-R8GJ-JGW2 Coverage REST API Server Side Request Forgery

Summary The Coverage rest api /workspaces/workspaceName/coveragestores/storeName/method.format allow to upload file with a specified url with method equals 'url' with no restrict. Details The Coverage rest api /workspaces/workspaceName/coveragestores/storeName/method.format allow to upload file...

PT-2025-24671 · Geoserver · Geoserver

Name of the Vulnerable Software and Affected Versions: GeoServer versions prior to 2.25.6 GeoServer versions prior to 2.26.3 Description: The issue allows bypassing the default REST API security, enabling access to the index page. This is possible because the REST API security does not handle...

PT-2025-26488 · Maven · Org.Geonetwork-Opensource:Gn-Web-App +1

Impact GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity XXE vulnerability during schema validation. This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files Patches...

PT-2025-24663 · Geoserver · Geoserver

Name of the Vulnerable Software and Affected Versions: GeoServer versions prior to 2.26.0 Description: The issue concerns the Coverage REST API, specifically the endpoint "/workspaces/workspaceName/coveragestores/storeName/method.format", which allows attackers to upload files with a specified UR...

CVE-2025-48490

Laravel Rest Api is an API generator. Prior to version 2.13.0, a validation bypass vulnerability was discovered where multiple validations defined for the same attribute could be silently overridden. Due to how the framework merged validation rules across multiple contexts such as index, store, a...

CVE-2025-48490

Laravel Rest Api is an API generator. Prior to version 2.13.0, a validation bypass vulnerability was discovered where multiple validations defined for the same attribute could be silently overridden. Due to how the framework merged validation rules across multiple contexts such as index, store, a...

CVE-2025-48490 Laravel Rest Api has a Search Validation Bypass

Laravel Rest Api is an API generator. Prior to version 2.13.0, a validation bypass vulnerability was discovered where multiple validations defined for the same attribute could be silently overridden. Due to how the framework merged validation rules across multiple contexts such as index, store, a...

CVE-2025-48490

CVE-2025-48490 affects the Lomkit Laravel Rest Api package (PHP). Prior to 2.13.0, the system merged validation rules across contexts (e.g., index, store, update), allowing multiple validations for the same attribute to be silently overridden. An attacker could craft requests that bypass key vali...

CVE-2025-48490 Laravel Rest Api has a Search Validation Bypass

Laravel Rest Api is an API generator. Prior to version 2.13.0, a validation bypass vulnerability was discovered where multiple validations defined for the same attribute could be silently overridden. Due to how the framework merged validation rules across multiple contexts such as index, store, a...