Home / Vulnerability Intelligence / CVE-2026-42352

CVE-2026-42352 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: May 8, 2026

pygeoapi - Server Side Request Forgery

Published: May 8, 2026Updated: May 8, 2026Remote Exploitable

Overview

pygeoapi 0.23.0 to <0.23.3 contains a server-side request forgery caused by misuse of the subscriber object in OGC API process execution requests, letting attackers make requests to internal HTTP services, exploit requires crafted process execution request.

Severity & Score

Severity: High

CVSS Score: 8.6

Impact

Attackers can make unauthorized requests to internal HTTP services, potentially accessing sensitive internal resources.

Mitigation

Upgrade to version 0.23.3 or later.

References

https://github.com/geopython/pygeoapi/security/advisories/GHSA-jgvc-94c8-3chc
https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef
https://github.com/geopython/pygeoapi/releases/tag/0.23.3

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-42352
Severity: High
CVSS Score: 8.6
Type: server_side_request_forgery
Status: new

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N