Cyber Resilience

CVE-2026-30479

CriticalRCE

Published: 09 April 2026

Published
09 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0032 23.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30479 is a critical-severity Code Injection (CWE-94) vulnerability in Mapserver (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Dynamic-link Library Injection (T1055.001); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30479 is a Dynamic-link Library (DLL) Injection vulnerability, classified as CWE-94, affecting OSGeo Project MapServer versions before 8.0. Published on April 9, 2026, this flaw allows attackers to execute arbitrary code through a crafted executable interacting with the software.

The vulnerability has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating it is exploitable over the network with low attack complexity, no required privileges or user interaction, and unchanged scope. Remote, unauthenticated attackers can leverage it to execute arbitrary code, resulting in high impacts to confidentiality and integrity but no availability disruption.

Mitigation requires upgrading to MapServer version 8.0 or later, as the vulnerability affects prior releases. Further technical details are documented in the research repository at https://github.com/penjaminTester/Research/tree/main/CVE-2026-30479 and on the official MapServer site at https://mapserver.org/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A Dynamic-link Library Injection vulnerability in OSGeo Project MapServer before v8.0 allows attackers to execute arbitrary code via a crafted executable.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1055.001 Dynamic-link Library Injection Stealth
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is explicitly a DLL Injection flaw (directly matching T1055.001) in a public-facing MapServer application that permits remote unauthenticated arbitrary code execution (matching T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41229Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2026-40563Shared CWE-94
CVE-2024-32641Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-2052Shared CWE-94
CVE-2026-9170Shared CWE-94
CVE-2025-54451Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2025-22204Shared CWE-94

Affected Assets

Mapserver
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the DLL injection vulnerability by requiring timely flaw remediation through upgrading MapServer to version 8.0 or later.

prevent

Protects against arbitrary code execution from DLL injection by implementing memory safeguards such as DEP and ASLR to restrict unauthorized code execution in MapServer processes.

preventdetect

Deploys malicious code protection mechanisms to scan for and block crafted executables or injected DLLs targeting MapServer.

References