PT-2026-54760 · Unknown · Geonetwork
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-39379
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
GeoNetwork versions 3.x and 4.0.x
GeoNetwork versions prior to 4.2.15
GeoNetwork versions prior to 4.4.10
Description
GeoNetwork reflects attacker-controlled content into an error page when a user requests a non-existent or unauthorized service URL. Because the error page is an AngularJS application, this content can be evaluated as a client-side template expression, allowing for reflected Cross-Site Scripting (XSS) via client-side template injection. An attacker can trick a user into visiting a crafted link to execute arbitrary JavaScript in the victim's browser, potentially exfiltrating information or performing actions on the victim's behalf, such as harvesting credentials via a fake login form.
Recommendations
Upgrade GeoNetwork versions 3.x and 4.0.x to a supported release (4.2.15 or later, or 4.4.10 or later).
Upgrade versions prior to 4.2.15 to version 4.2.15 or later.
Upgrade versions prior to 4.4.10 to version 4.4.10 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Geonetwork