CVE-2026-33721

MEDIUM NVD

CVSS Score 5.3

Severity MEDIUM

Published Mar 27, 2026

Vendor unknown

Description

MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue.

References

https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1
https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp