{"url":"http://public2.vulnerablecode.io/api/packages/1076290?format=json","purl":"pkg:deb/debian/mapserver@5.0.3-3%2Blenny7","type":"deb","namespace":"debian","name":"mapserver","version":"5.0.3-3+lenny7","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"8.4.0-1~bpo12+1","latest_non_vulnerable_version":"8.6.4-1~bpo13+1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/186156?format=json","vulnerability_id":"VCID-11st-sd9f-xqh7","summary":"security update","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-5522","reference_id":"","reference_type":"","scores":[{"value":"0.06039","scoring_system":"epss","scoring_elements":"0.90925","published_at":"2026-06-11T12:55:00Z"},{"value":"0.06039","scoring_system":"epss","scoring_elements":"0.90954","published_at":"2026-06-12T12:55:00Z"},{"value":"0.06039","scoring_system":"epss","scoring_elements":"0.9096","published_at":"2026-06-13T12:55:00Z"},{"value":"0.06039","scoring_system":"epss","scoring_elements":"0.90959","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-5522"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5522","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5522"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076294?format=json","purl":"pkg:deb/debian/mapserver@6.4.1-5%2Bdeb8u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@6.4.1-5%252Bdeb8u3"},{"url":"http://public2.vulnerablecode.io/api/packages/1087526?format=json","purl":"pkg:deb/debian/mapserver@7.0.4-2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@7.0.4-2"}],"aliases":["CVE-2017-5522"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-11st-sd9f-xqh7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201770?format=json","vulnerability_id":"VCID-1f97-thuk-vkbw","summary":"Buffer overflow in the msTmpFile function in maputil.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 allows local users to cause a denial of service via vectors involving names of temporary files.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2010-2539","reference_id":"","reference_type":"","scores":[{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19941","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.20113","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.20132","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.20107","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2010-2539"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2539","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2539"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076291?format=json","purl":"pkg:deb/debian/mapserver@5.6.5-2%2Bsqueeze3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.6.5-2%252Bsqueeze3"}],"aliases":["CVE-2010-2539"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1f97-thuk-vkbw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201395?format=json","vulnerability_id":"VCID-4pkm-r9ea-1kfm","summary":"Stack-based buffer overflow in mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2, when the server has a map with a long IMAGEPATH or NAME attribute, allows remote attackers to execute arbitrary code via a crafted id parameter in a query action.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0839.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0839.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0839","reference_id":"","reference_type":"","scores":[{"value":"0.06436","scoring_system":"epss","scoring_elements":"0.91263","published_at":"2026-06-11T12:55:00Z"},{"value":"0.06436","scoring_system":"epss","scoring_elements":"0.91293","published_at":"2026-06-12T12:55:00Z"},{"value":"0.06436","scoring_system":"epss","scoring_elements":"0.91301","published_at":"2026-06-13T12:55:00Z"},{"value":"0.06436","scoring_system":"epss","scoring_elements":"0.91298","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0839"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0839","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0839"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364","reference_id":"493364","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027","reference_id":"523027","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076291?format=json","purl":"pkg:deb/debian/mapserver@5.6.5-2%2Bsqueeze3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.6.5-2%252Bsqueeze3"}],"aliases":["CVE-2009-0839"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4pkm-r9ea-1kfm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201735?format=json","vulnerability_id":"VCID-5zf2-7k6j-fucf","summary":"Mapserver 5.2, 5.4 and 5.6 before 5.6.5-2 improperly validates symbol index values during Mapfile parsing.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2010-1678","reference_id":"","reference_type":"","scores":[{"value":"0.00681","scoring_system":"epss","scoring_elements":"0.72098","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00681","scoring_system":"epss","scoring_elements":"0.72183","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00681","scoring_system":"epss","scoring_elements":"0.72195","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00681","scoring_system":"epss","scoring_elements":"0.72191","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2010-1678"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1678","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1678"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076291?format=json","purl":"pkg:deb/debian/mapserver@5.6.5-2%2Bsqueeze3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.6.5-2%252Bsqueeze3"}],"aliases":["CVE-2010-1678"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5zf2-7k6j-fucf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/204637?format=json","vulnerability_id":"VCID-7vx7-a1nv-gbbv","summary":"In MapServer before 7.0.3, OGR driver error messages are too verbose and may leak sensitive information if data connection fails.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9839","reference_id":"","reference_type":"","scores":[{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.58228","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.5834","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.58356","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.58344","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-9839"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9839","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9839"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1087525?format=json","purl":"pkg:deb/debian/mapserver@7.0.4-1~bpo8%2B1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@7.0.4-1~bpo8%252B1"}],"aliases":["CVE-2016-9839"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7vx7-a1nv-gbbv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/202012?format=json","vulnerability_id":"VCID-7zrt-h957-y3cq","summary":"Multiple SQL injection vulnerabilities in MapServer before 4.10.7, 5.x before 5.6.7, and 6.x before 6.0.1 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) OGC filter encoding or (2) WMS time support.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2703","reference_id":"","reference_type":"","scores":[{"value":"0.01573","scoring_system":"epss","scoring_elements":"0.81956","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01573","scoring_system":"epss","scoring_elements":"0.82016","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01573","scoring_system":"epss","scoring_elements":"0.82025","published_at":"2026-06-13T12:55:00Z"},{"value":"0.01573","scoring_system":"epss","scoring_elements":"0.82017","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2703"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2703","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2703"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076292?format=json","purl":"pkg:deb/debian/mapserver@6.0.1-3.2%2Bdeb7u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@6.0.1-3.2%252Bdeb7u2"}],"aliases":["CVE-2011-2703"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7zrt-h957-y3cq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/202024?format=json","vulnerability_id":"VCID-9gxz-zkju-ruce","summary":"Double free vulnerability in the msAddImageSymbol function in mapsymbol.c in MapServer before 6.0.1 might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact via crafted mapfile data.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2975","reference_id":"","reference_type":"","scores":[{"value":"0.02462","scoring_system":"epss","scoring_elements":"0.85571","published_at":"2026-06-11T12:55:00Z"},{"value":"0.02462","scoring_system":"epss","scoring_elements":"0.85622","published_at":"2026-06-12T12:55:00Z"},{"value":"0.02462","scoring_system":"epss","scoring_elements":"0.85631","published_at":"2026-06-13T12:55:00Z"},{"value":"0.02462","scoring_system":"epss","scoring_elements":"0.85624","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2975"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2975","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2975"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/windows/dos/36092.pl","reference_id":"CVE-2011-2975;OSVDB-74218","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/windows/dos/36092.pl"},{"reference_url":"https://www.securityfocus.com/bid/49374/info","reference_id":"CVE-2011-2975;OSVDB-74218","reference_type":"exploit","scores":[],"url":"https://www.securityfocus.com/bid/49374/info"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076292?format=json","purl":"pkg:deb/debian/mapserver@6.0.1-3.2%2Bdeb7u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@6.0.1-3.2%252Bdeb7u2"}],"aliases":["CVE-2011-2975"],"risk_score":null,"exploitability":"2.0","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9gxz-zkju-ruce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201809?format=json","vulnerability_id":"VCID-awyq-afb8-hkha","summary":"SQL injection vulnerability in common.php in LightNEasy 3.2.1 allows remote attackers to execute arbitrary SQL commands via the userhandle cookie to LightNEasy.php, a different vector than CVE-2008-6593.  NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2010-3485","reference_id":"","reference_type":"","scores":[{"value":"0.00389","scoring_system":"epss","scoring_elements":"0.60356","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00389","scoring_system":"epss","scoring_elements":"0.60462","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00389","scoring_system":"epss","scoring_elements":"0.60473","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00389","scoring_system":"epss","scoring_elements":"0.60466","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2010-3485"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3485","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3485"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076291?format=json","purl":"pkg:deb/debian/mapserver@5.6.5-2%2Bsqueeze3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.6.5-2%252Bsqueeze3"}],"aliases":["CVE-2010-3485"],"risk_score":null,"exploitability":"2.0","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-awyq-afb8-hkha"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201413?format=json","vulnerability_id":"VCID-hed7-buez-3qd3","summary":"mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 does not ensure that the string holding the id parameter ends in a '\\0' character, which allows remote attackers to conduct buffer-overflow attacks or have unspecified other impact via a long id parameter in a query action.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1176.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1176.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-1176","reference_id":"","reference_type":"","scores":[{"value":"0.02026","scoring_system":"epss","scoring_elements":"0.84155","published_at":"2026-06-11T12:55:00Z"},{"value":"0.02026","scoring_system":"epss","scoring_elements":"0.8421","published_at":"2026-06-12T12:55:00Z"},{"value":"0.02026","scoring_system":"epss","scoring_elements":"0.84219","published_at":"2026-06-13T12:55:00Z"},{"value":"0.02026","scoring_system":"epss","scoring_elements":"0.84214","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-1176"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1176","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1176"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364","reference_id":"493364","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027","reference_id":"523027","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076291?format=json","purl":"pkg:deb/debian/mapserver@5.6.5-2%2Bsqueeze3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.6.5-2%252Bsqueeze3"}],"aliases":["CVE-2009-1176"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hed7-buez-3qd3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208501?format=json","vulnerability_id":"VCID-hvmb-9dhn-jbae","summary":"MapServer before 7.0.8, 7.1.x and 7.2.x before 7.2.3, 7.3.x and 7.4.x before 7.4.5, and 7.5.x and 7.6.x before 7.6.3 does not properly enforce the MS_MAP_NO_PATH and MS_MAP_PATTERN restrictions that are intended to control the locations from which a mapfile may be loaded (with MapServer CGI).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32062","reference_id":"","reference_type":"","scores":[{"value":"0.00951","scoring_system":"epss","scoring_elements":"0.76814","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00951","scoring_system":"epss","scoring_elements":"0.76884","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00951","scoring_system":"epss","scoring_elements":"0.76898","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00951","scoring_system":"epss","scoring_elements":"0.76892","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32062"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32062","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32062"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988208","reference_id":"988208","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988208"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1079495?format=json","purl":"pkg:deb/debian/mapserver@8.0.0-3%2Bdeb12u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6pyv-3hq3-r7gr"},{"vulnerability":"VCID-khdz-dhfc-87cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@8.0.0-3%252Bdeb12u1"}],"aliases":["CVE-2021-32062"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hvmb-9dhn-jbae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/202013?format=json","vulnerability_id":"VCID-p6dh-mvsb-hkf4","summary":"Stack-based buffer overflow in MapServer before 4.10.7 and 5.x before 5.6.7 allows remote attackers to execute arbitrary code via vectors related to OGC filter encoding.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2704","reference_id":"","reference_type":"","scores":[{"value":"0.0765","scoring_system":"epss","scoring_elements":"0.92077","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0765","scoring_system":"epss","scoring_elements":"0.92103","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0765","scoring_system":"epss","scoring_elements":"0.9211","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0765","scoring_system":"epss","scoring_elements":"0.92107","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2011-2704"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2704","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2704"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076292?format=json","purl":"pkg:deb/debian/mapserver@6.0.1-3.2%2Bdeb7u2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@6.0.1-3.2%252Bdeb7u2"}],"aliases":["CVE-2011-2704"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p6dh-mvsb-hkf4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201398?format=json","vulnerability_id":"VCID-pdma-afyp-3ydz","summary":"mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to read arbitrary invalid .map files via a full pathname in the map parameter, which triggers the display of partial file contents within an error message, as demonstrated by a /tmp/sekrut.map symlink.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0842.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0842.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0842","reference_id":"","reference_type":"","scores":[{"value":"0.00832","scoring_system":"epss","scoring_elements":"0.75029","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00832","scoring_system":"epss","scoring_elements":"0.751","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00832","scoring_system":"epss","scoring_elements":"0.75113","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00832","scoring_system":"epss","scoring_elements":"0.7511","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0842"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0842","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0842"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364","reference_id":"493364","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027","reference_id":"523027","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076291?format=json","purl":"pkg:deb/debian/mapserver@5.6.5-2%2Bsqueeze3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.6.5-2%252Bsqueeze3"}],"aliases":["CVE-2009-0842"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pdma-afyp-3ydz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201808?format=json","vulnerability_id":"VCID-psce-d1d8-w3b9","summary":"SQL injection vulnerability in common.php in LightNEasy 3.2.1 allows remote attackers to execute arbitrary SQL commands via the handle parameter to LightNEasy.php, a different vector than CVE-2008-6593.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2010-3484","reference_id":"","reference_type":"","scores":[{"value":"0.00519","scoring_system":"epss","scoring_elements":"0.6723","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00519","scoring_system":"epss","scoring_elements":"0.67321","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00519","scoring_system":"epss","scoring_elements":"0.67336","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00519","scoring_system":"epss","scoring_elements":"0.67335","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2010-3484"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3484","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3484"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/15060.txt","reference_id":"CVE-2010-4752;CVE-2010-4751;OSVDB-68152;CVE-2010-3485;CVE-2010-3484","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/15060.txt"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076291?format=json","purl":"pkg:deb/debian/mapserver@5.6.5-2%2Bsqueeze3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.6.5-2%252Bsqueeze3"}],"aliases":["CVE-2010-3484"],"risk_score":null,"exploitability":"2.0","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-psce-d1d8-w3b9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101006?format=json","vulnerability_id":"VCID-qeub-3mrq-xqaj","summary":"MapServer is a system for developing web-based GIS applications. Prior to 8.4.1, the XML Filter Query directive PropertyName is vulnerably to Boolean-based SQL injection. It seems like expression checking is bypassed by introducing double quote characters in the PropertyName. Allowing to manipulate backend database queries. This vulnerability is fixed in 8.4.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59431","reference_id":"","reference_type":"","scores":[{"value":"0.00078","scoring_system":"epss","scoring_elements":"0.23384","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00078","scoring_system":"epss","scoring_elements":"0.23579","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00078","scoring_system":"epss","scoring_elements":"0.23591","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00078","scoring_system":"epss","scoring_elements":"0.23569","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59431"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59431","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59431"},{"reference_url":"https://github.com/MapServer/MapServer/security/advisories/GHSA-256m-rx4h-r55w","reference_id":"GHSA-256m-rx4h-r55w","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-09-19T19:41:51Z/"}],"url":"https://github.com/MapServer/MapServer/security/advisories/GHSA-256m-rx4h-r55w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1079495?format=json","purl":"pkg:deb/debian/mapserver@8.0.0-3%2Bdeb12u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6pyv-3hq3-r7gr"},{"vulnerability":"VCID-khdz-dhfc-87cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@8.0.0-3%252Bdeb12u1"}],"aliases":["CVE-2025-59431"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qeub-3mrq-xqaj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201463?format=json","vulnerability_id":"VCID-srrz-wzj9-3ugc","summary":"Multiple heap-based buffer underflows in the readPostBody function in cgiutil.c in mapserv in MapServer 4.x through 4.10.4 and 5.x before 5.4.2 allow remote attackers to execute arbitrary code via (1) a crafted Content-Length HTTP header or (2) a large HTTP request, related to an integer overflow that triggers a heap-based buffer overflow.  NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-0840.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2281.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2281.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2281","reference_id":"","reference_type":"","scores":[{"value":"0.11504","scoring_system":"epss","scoring_elements":"0.93782","published_at":"2026-06-11T12:55:00Z"},{"value":"0.11504","scoring_system":"epss","scoring_elements":"0.93802","published_at":"2026-06-12T12:55:00Z"},{"value":"0.11504","scoring_system":"epss","scoring_elements":"0.93806","published_at":"2026-06-13T12:55:00Z"},{"value":"0.11504","scoring_system":"epss","scoring_elements":"0.93809","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-2281"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2281","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2281"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=509559","reference_id":"509559","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=509559"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535340","reference_id":"535340","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535340"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076291?format=json","purl":"pkg:deb/debian/mapserver@5.6.5-2%2Bsqueeze3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.6.5-2%252Bsqueeze3"}],"aliases":["CVE-2009-2281"],"risk_score":0.1,"exploitability":"0.5","weighted_severity":"0.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-srrz-wzj9-3ugc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201400?format=json","vulnerability_id":"VCID-u2pk-u8t9-zfea","summary":"The msLoadQuery function in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to determine the existence of arbitrary files via a full pathname in the queryfile parameter, which triggers different error messages depending on whether this pathname exists.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0843.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0843.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0843","reference_id":"","reference_type":"","scores":[{"value":"0.01032","scoring_system":"epss","scoring_elements":"0.77764","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01032","scoring_system":"epss","scoring_elements":"0.77833","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01032","scoring_system":"epss","scoring_elements":"0.77846","published_at":"2026-06-13T12:55:00Z"},{"value":"0.01032","scoring_system":"epss","scoring_elements":"0.77839","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0843"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0843","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0843"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364","reference_id":"493364","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027","reference_id":"523027","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076291?format=json","purl":"pkg:deb/debian/mapserver@5.6.5-2%2Bsqueeze3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.6.5-2%252Bsqueeze3"}],"aliases":["CVE-2009-0843"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u2pk-u8t9-zfea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201414?format=json","vulnerability_id":"VCID-vr94-32ja-53eu","summary":"Multiple stack-based buffer overflows in maptemplate.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 have unknown impact and remote attack vectors.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1177.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-1177.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-1177","reference_id":"","reference_type":"","scores":[{"value":"0.01153","scoring_system":"epss","scoring_elements":"0.78935","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01153","scoring_system":"epss","scoring_elements":"0.79","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01153","scoring_system":"epss","scoring_elements":"0.79014","published_at":"2026-06-13T12:55:00Z"},{"value":"0.01153","scoring_system":"epss","scoring_elements":"0.79012","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-1177"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1177","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1177"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364","reference_id":"493364","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027","reference_id":"523027","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076291?format=json","purl":"pkg:deb/debian/mapserver@5.6.5-2%2Bsqueeze3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.6.5-2%252Bsqueeze3"}],"aliases":["CVE-2009-1177"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vr94-32ja-53eu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77806?format=json","vulnerability_id":"VCID-x25n-x4m5-ffhv","summary":"MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33721.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33721.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33721","reference_id":"","reference_type":"","scores":[{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53912","published_at":"2026-06-14T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53783","published_at":"2026-06-11T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53909","published_at":"2026-06-12T12:55:00Z"},{"value":"0.003","scoring_system":"epss","scoring_elements":"0.53926","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33721"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33721","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33721"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452066","reference_id":"2452066","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452066"},{"reference_url":"https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp","reference_id":"GHSA-cv4m-mr84-fgjp","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:51:50Z/"}],"url":"https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp"},{"reference_url":"https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1","reference_id":"rel-8-6-1","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T11:51:50Z/"}],"url":"https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1079495?format=json","purl":"pkg:deb/debian/mapserver@8.0.0-3%2Bdeb12u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6pyv-3hq3-r7gr"},{"vulnerability":"VCID-khdz-dhfc-87cq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@8.0.0-3%252Bdeb12u1"}],"aliases":["CVE-2026-33721"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x25n-x4m5-ffhv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201397?format=json","vulnerability_id":"VCID-y54u-c41g-bke9","summary":"Directory traversal vulnerability in mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2, when running on Windows with Cygwin, allows remote attackers to create arbitrary files via a .. (dot dot) in the id parameter.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0841.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0841.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0841","reference_id":"","reference_type":"","scores":[{"value":"0.00786","scoring_system":"epss","scoring_elements":"0.74231","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00786","scoring_system":"epss","scoring_elements":"0.74306","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00786","scoring_system":"epss","scoring_elements":"0.74318","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00786","scoring_system":"epss","scoring_elements":"0.74316","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0841"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0841","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0841"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364","reference_id":"493364","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027","reference_id":"523027","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076291?format=json","purl":"pkg:deb/debian/mapserver@5.6.5-2%2Bsqueeze3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.6.5-2%252Bsqueeze3"}],"aliases":["CVE-2009-0841"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y54u-c41g-bke9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/203142?format=json","vulnerability_id":"VCID-ysrk-bby3-cugc","summary":"SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-7262","reference_id":"","reference_type":"","scores":[{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40186","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40355","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40376","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00185","scoring_system":"epss","scoring_elements":"0.40365","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-7262"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7262","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7262"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734565","reference_id":"734565","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734565"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076293?format=json","purl":"pkg:deb/debian/mapserver@6.4.1-5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@6.4.1-5"}],"aliases":["CVE-2013-7262"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ysrk-bby3-cugc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201771?format=json","vulnerability_id":"VCID-zb9s-muc1-zygr","summary":"mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 does not properly restrict the use of CGI command-line arguments that were intended for debugging, which allows remote attackers to have an unspecified impact via crafted arguments.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2010-2540","reference_id":"","reference_type":"","scores":[{"value":"0.01976","scoring_system":"epss","scoring_elements":"0.83937","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01976","scoring_system":"epss","scoring_elements":"0.83994","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01976","scoring_system":"epss","scoring_elements":"0.84001","published_at":"2026-06-13T12:55:00Z"},{"value":"0.01976","scoring_system":"epss","scoring_elements":"0.83996","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2010-2540"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2540","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2540"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076291?format=json","purl":"pkg:deb/debian/mapserver@5.6.5-2%2Bsqueeze3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.6.5-2%252Bsqueeze3"}],"aliases":["CVE-2010-2540"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zb9s-muc1-zygr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/201396?format=json","vulnerability_id":"VCID-zf42-hq7t-9ffq","summary":"Heap-based buffer underflow in the readPostBody function in cgiutil.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to have an unknown impact via a negative value in the Content-Length HTTP header.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0840.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-0840.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0840","reference_id":"","reference_type":"","scores":[{"value":"0.02704","scoring_system":"epss","scoring_elements":"0.8622","published_at":"2026-06-11T12:55:00Z"},{"value":"0.02704","scoring_system":"epss","scoring_elements":"0.86271","published_at":"2026-06-12T12:55:00Z"},{"value":"0.02704","scoring_system":"epss","scoring_elements":"0.86281","published_at":"2026-06-13T12:55:00Z"},{"value":"0.02704","scoring_system":"epss","scoring_elements":"0.86279","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2009-0840"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0840","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0840"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364","reference_id":"493364","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=493364"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027","reference_id":"523027","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=523027"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076291?format=json","purl":"pkg:deb/debian/mapserver@5.6.5-2%2Bsqueeze3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-ysrk-bby3-cugc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.6.5-2%252Bsqueeze3"}],"aliases":["CVE-2009-0840"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zf42-hq7t-9ffq"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/200791?format=json","vulnerability_id":"VCID-74h8-sgr1-gfbj","summary":"Multiple cross-site scripting (XSS) vulnerabilities in MapServer before 4.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the (1) processLine function in maptemplate.c and the (2) writeError function in mapserv.c in the mapserv CGI program.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2007-4542","reference_id":"","reference_type":"","scores":[{"value":"0.00809","scoring_system":"epss","scoring_elements":"0.74646","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00809","scoring_system":"epss","scoring_elements":"0.74717","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00809","scoring_system":"epss","scoring_elements":"0.7473","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00809","scoring_system":"epss","scoring_elements":"0.74728","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2007-4542"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4542","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4542"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=439346","reference_id":"439346","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=439346"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076290?format=json","purl":"pkg:deb/debian/mapserver@5.0.3-3%2Blenny7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-1f97-thuk-vkbw"},{"vulnerability":"VCID-4pkm-r9ea-1kfm"},{"vulnerability":"VCID-5zf2-7k6j-fucf"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-awyq-afb8-hkha"},{"vulnerability":"VCID-hed7-buez-3qd3"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-pdma-afyp-3ydz"},{"vulnerability":"VCID-psce-d1d8-w3b9"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-srrz-wzj9-3ugc"},{"vulnerability":"VCID-u2pk-u8t9-zfea"},{"vulnerability":"VCID-vr94-32ja-53eu"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-y54u-c41g-bke9"},{"vulnerability":"VCID-ysrk-bby3-cugc"},{"vulnerability":"VCID-zb9s-muc1-zygr"},{"vulnerability":"VCID-zf42-hq7t-9ffq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.0.3-3%252Blenny7"}],"aliases":["CVE-2007-4542"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-74h8-sgr1-gfbj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/200796?format=json","vulnerability_id":"VCID-t3ja-k9c8-1kbq","summary":"Buffer overflow in the processLine function in maptemplate.c in MapServer before 4.10.3 allows attackers to cause a denial of service and possibly execute arbitrary code via a mapfile with a long layer name, group name, or metadata entry name.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2007-4629","reference_id":"","reference_type":"","scores":[{"value":"0.01362","scoring_system":"epss","scoring_elements":"0.80587","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01362","scoring_system":"epss","scoring_elements":"0.80648","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01362","scoring_system":"epss","scoring_elements":"0.8066","published_at":"2026-06-13T12:55:00Z"},{"value":"0.01362","scoring_system":"epss","scoring_elements":"0.80651","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2007-4629"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4629","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4629"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1076290?format=json","purl":"pkg:deb/debian/mapserver@5.0.3-3%2Blenny7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-11st-sd9f-xqh7"},{"vulnerability":"VCID-1f97-thuk-vkbw"},{"vulnerability":"VCID-4pkm-r9ea-1kfm"},{"vulnerability":"VCID-5zf2-7k6j-fucf"},{"vulnerability":"VCID-7vx7-a1nv-gbbv"},{"vulnerability":"VCID-7zrt-h957-y3cq"},{"vulnerability":"VCID-9gxz-zkju-ruce"},{"vulnerability":"VCID-awyq-afb8-hkha"},{"vulnerability":"VCID-hed7-buez-3qd3"},{"vulnerability":"VCID-hvmb-9dhn-jbae"},{"vulnerability":"VCID-p6dh-mvsb-hkf4"},{"vulnerability":"VCID-pdma-afyp-3ydz"},{"vulnerability":"VCID-psce-d1d8-w3b9"},{"vulnerability":"VCID-qeub-3mrq-xqaj"},{"vulnerability":"VCID-srrz-wzj9-3ugc"},{"vulnerability":"VCID-u2pk-u8t9-zfea"},{"vulnerability":"VCID-vr94-32ja-53eu"},{"vulnerability":"VCID-x25n-x4m5-ffhv"},{"vulnerability":"VCID-y54u-c41g-bke9"},{"vulnerability":"VCID-ysrk-bby3-cugc"},{"vulnerability":"VCID-zb9s-muc1-zygr"},{"vulnerability":"VCID-zf42-hq7t-9ffq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.0.3-3%252Blenny7"}],"aliases":["CVE-2007-4629"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ja-k9c8-1kbq"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/mapserver@5.0.3-3%252Blenny7"}