PT-2026-54760 · Unknown · Geonetwork

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-39379

CVSS v3.1

7.1

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Name of the Vulnerable Software and Affected Versions GeoNetwork versions 3.x and 4.0.x GeoNetwork versions prior to 4.2.15 GeoNetwork versions prior to 4.4.10
Description GeoNetwork reflects attacker-controlled content into an error page when a user requests a non-existent or unauthorized service URL. Because the error page is an AngularJS application, this content can be evaluated as a client-side template expression, allowing for reflected Cross-Site Scripting (XSS) via client-side template injection. An attacker can trick a user into visiting a crafted link to execute arbitrary JavaScript in the victim's browser, potentially exfiltrating information or performing actions on the victim's behalf, such as harvesting credentials via a fake login form.
Recommendations Upgrade GeoNetwork versions 3.x and 4.0.x to a supported release (4.2.15 or later, or 4.4.10 or later). Upgrade versions prior to 4.2.15 to version 4.2.15 or later. Upgrade versions prior to 4.4.10 to version 4.4.10 or later.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-39379
GHSA-2V4M-FW6C-G78F

Affected Products

Geonetwork