CVE-2025-27511
Severity CVSS v4.0:
Pending analysis
Type:
CWE-74
Injection
Publication date:
18/06/2026
Last modified:
24/06/2026
Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue.
Impact
Base Score 3.x
7.20
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:* | 2.27.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



