CVE-2026-45104 Common Vulnerabilities and Exposures

Upstream information

CVE-2026-45104 at MITRE

Description

MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> - it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
CVSS detail	CNA (GitHub)
Base Score	7.5
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Unchanged
Confidentiality Impact	None
Integrity Impact	None
Availability Impact	High
CVSSv3 Version	3.1

SUSE Bugzilla entry: 1266663 [NEW]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s)	Fixed package version(s)	References
openSUSE Leap 16.0	`libjavamapscript >= 8.6.3-bp160.1.1` `libmapserver2 >= 8.6.3-bp160.1.1` `mapserver >= 8.6.3-bp160.1.1` `mapserver-devel >= 8.6.3-bp160.1.1` `perl-mapscript >= 8.6.3-bp160.1.1` `php-mapscriptng >= 8.6.3-bp160.1.1` `python313-mapserver >= 8.6.3-bp160.1.1`	Patchnames: openSUSE-Leap-16.0-packagehub-287

SUSE Timeline for this CVE

CVE page created: Thu May 28 00:01:27 2026
CVE page last modified: Tue Jun 2 11:37:06 2026