Cyber Resilience

CVE-2026-45104

HighPublic PoC

Published: 27 May 2026

Published
27 May 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0028 19.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-45104 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Osgeo Mapserver. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> — it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally…

more

valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated NULL dereference in public WMS SLD parser enables application-layer DoS via crafted input; maps to public-facing app exploitation and application exploitation for availability impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33721Same product: Osgeo Mapserver
CVE-2026-49014Same vendor: Osgeo
CVE-2026-32696Shared CWE-476
CVE-2025-63655Shared CWE-476
CVE-2026-27651Shared CWE-476
CVE-2026-25501Shared CWE-476
CVE-2026-33283Shared CWE-476
CVE-2026-2507Shared CWE-476
CVE-2026-0918Shared CWE-476
CVE-2025-69248Shared CWE-129

Affected Assets

osgeo
mapserver
6.4.0 — 8.6.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References