Published: May 8, 2026 | Last Modified: May 8, 2026
MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2.
This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.