Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Older MapServer versions can crash from bad SLD input
CVE-2026-33721
Summary
MapServer versions 4.2 to 8.6.1 are vulnerable to a crash when processing certain types of Styled Layer Descriptor (SLD) files. This can be exploited by attackers to take down a server. Update to version 8.6.1 or later to fix this problem.
Original title
MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser...
Original description
MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue.
nvd CVSS3.1
5.3
Vulnerability type
CWE-787
Out-of-bounds Write
Published: 27 Mar 2026 · Updated: 27 Mar 2026 · First seen: 27 Mar 2026