The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting OSGeo GeoServer to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation in the wild.

The vulnerability in question is CVE-2025-58360 (CVSS score: 8.2), an unauthenticated XML External Entity ( XXE ) flaw that affects all versions prior to and including 2.25.5, and from versions 2.26.0 through 2.26.1. It has been patched in versions 2.25.6 , 2.26.2 , 2.27.0 , 2.28.0 , and 2.28.1 . Artificial intelligence (AI)-powered vulnerability discovery platform XBOW has been acknowledged for reporting the issue.

"OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs

See Full Page