The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability in OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed active exploitation and elevating its priority for patching in operational environments.

The vulnerability is CVE-2025-58360 (CVSS score: 8.2), an unauthenticated XML External Entity () issue that impacts all versions up to and including 2.25.5, as well as versions 2.26.0 through 2.26.1. Remediation is available in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. The issue was reported through the maintainers’ process by the XBOW AI-assisted vulnerability discovery platform.

“OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request,” CISA said.

The following packages are impacted by this vulnerability –

• docker.osgeo.org/geoserver
• org.geoserver.web:gs-web-app (Maven)
• org.geoserver:gs-wms (Maven)

According to the project maintainers’ advisory, successful exploitation enables an attacker to read arbitrary files from the server file system, perform Server-Side Request Forgery (SSRF) to reach internal services, or trigger denial-of-service (DoS) conditions by consuming resources. For SOC teams, each of these outcomes maps directly to data exposure, lateral movement, and availability-impact scenarios that require monitoring and incident response coverage.

Public details on how this bug is being operationalized in current campaigns are not yet available. However, the Canadian Centre for Cyber Security stated in a November 28, 2025 bulletin that “an exploit for CVE-2025-58360 exists in the wild,” which should be treated as a signal to prioritize detection engineering and patch verification.

Another critical issue in the same product (CVE-2024-36401, CVSS score: 9.8) has already been by over the . Federal Civilian Executive Branch (FCEB) agencies have been instructed to deploy the relevant fixes by January 1, 2026, to reduce exposure across their environments.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.