Vulnerability Description
MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Osgeo | Mapserver | >= 4.2.0, < 8.6.1 |
Related Weaknesses (CWE)
References
- https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1ProductRelease Notes
- https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjpExploitMitigationVendor Advisory
- https://lists.debian.org/debian-lts-announce/2026/04/msg00017.html
FAQ
What is CVE-2026-33721?
CVE-2026-33721 is a vulnerability with a CVSS score of 5.3 (MEDIUM). MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser le...
How severe is CVE-2026-33721?
CVE-2026-33721 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33721?
Check the references section above for vendor advisories and patch information. Affected products include: Osgeo Mapserver.