CVE-2025-21621 – GeoServer Reflected Cross-Site Scripting (XSS) vulnerability in WMS GetFeatureInfo HTML format

CVE ID : CVE-2025-21621

Published : Nov. 25, 2025, 10:15 p.m. | 1 hour, 7 minutes ago

Description : GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim’s browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0.

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…