CVE-2026-42352

Published: May 8, 2026Modified: May 12, 2026Deferred

8.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 4.0

Source: security-advisories@github.com (Secondary)

Description

pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3.

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (3)

https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef

Source: security-advisories@github.com

https://github.com/geopython/pygeoapi/releases/tag/0.23.3

Source: security-advisories@github.com

https://github.com/geopython/pygeoapi/security/advisories/GHSA-jgvc-94c8-3chc

Source: security-advisories@github.com

Timeline

No history available yet.