Database

In MongoDB Server versions prior to 7.0.17, 8.0.5 and 6.0.21 a high severity vulnerability CVE-2025-6710 was detected. This vulnerability allows attackers to trigger a stack overflow by sending specially crafted JSON inputs that induce deep recursion during parsing, leading to server crashes. To address this issue, users should upgrade MongoDB Server to versions 7.0.17, 8.0.5 or 6.0.21. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6710.

In MongoDB Server versions prior to 5.0.31, 6.0.24, 7.0.21 and 8.0.5 a medium severity vulnerability CVE-2025-6707 was detected. This vulnerability allows authenticated users to execute requests with stale privileges under certain conditions, even after an authorized administrator has modified their access rights. To address this issue, users should upgrade MongoDB Server to versions 5.0.31, 6.0.24, 7.0.21 or 8.0.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6707.

In GeoServer versions prior to 2.25.0 a critical severity vulnerability CVE-2024-34711 was detected. This vulnerability allows attackers to perform XML External Entity (XXE) attacks, enabling them to send GET requests to arbitrary HTTP servers. The flaw lies in improper URI validation in XML entity resolution, which can be exploited to scan internal networks and gather sensitive information. To address this issue, users should upgrade GeoServer to versions 2.25.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-34711.

In GeoServer versions prior to 2.24.4 and 2.25.2 a high severity vulnerability CVE-2024-29198 was detected. This vulnerability allows attackers to perform Server-Side Request Forgery (SSRF) via the Demo request endpoint if the Proxy Base URL has not been configured. To address this issue, users should upgrade GeoServer to versions 2.24.4 or 2.25.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-29198.

In GeoServer versions prior to 2.27.1, 2.26.3 and 2.25.7 a critical severity vulnerability CVE-2025-30220 was detected. This vulnerability allows attackers to exploit XML External Entity (XXE) injection due to improper use of the EntityResolver in the GeoTools Schema class, affecting XML parsing when external schemas are referenced. To address this issue, users should upgrade GeoServer to versions 2.27.1, 2.26.3 or 2.25.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30220.

In GeoServer versions prior to 2.27.0, 2.26.3 and 2.25.7 a high severity vulnerability CVE-2025-30145 was detected. This vulnerability allows attackers to execute malicious Jiffle scripts as rendering transformations in WMS dynamic styles or WPS processes, potentially triggering an infinite loop and causing denial of service. To address this issue, users should upgrade GeoServer to versions 2.27.0, 2.26.3 or 2.25.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30145.

In GeoServer versions prior to 2.26.3 and 2.25.6 a medium severity vulnerability CVE-2025-27505 was detected. This vulnerability allows attackers to bypass REST API access controls by appending file extensions (e.g., `.html`) to the `/rest` path, potentially disclosing information about installed extensions. To address this issue, users should upgrade GeoServer to versions 2.26.3 or 2.25.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27505.

In GeoServer versions prior to 2.26.0 a medium severity vulnerability CVE-2024-40625 was detected. This vulnerability allows attackers to upload arbitrary files via the Coverage REST API endpoint `/workspaces/{workspaceName}/coveragestores/{storeName}/url.{format}` by abusing the `url` method without proper restrictions. To address this issue, users should upgrade GeoServer to versions 2.26.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-40625.

In GeoServer versions prior to 2.26.2 and 2.25.6 a medium severity vulnerability CVE-2024-38524 was detected. This vulnerability allows users to access potentially sensitive information via the `GeoWebCacheDispatcher.handleFrontPage` method, as there is no default mechanism to hide storage locations unless a specific system property is manually configured. To address this issue, users should upgrade GeoServer to versions 2.26.2 or 2.25.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-38524.