What is the CVSS score of CVE-2022-50899?

CVE-2022-50899 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Geonetwork are affected by CVE-2022-50899?

Organizations using Geonetwork 3.10 through 4.2.0 should be aware of notable risk from CVE-2022-50899, a XML external entity vulnerability rated CVSS 6.5.

Is there a public PoC exploit available for CVE-2022-50899?

Yes, a public proof-of-concept exploit is available for CVE-2022-50899. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2022-50899?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Geonetwork CVE-2022-50899

MEDIUM

Improper Restriction of XML External Entity Reference (CWE-611)

2026-01-13 disclosure@vulncheck.com

XXE Geonetwork

6.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 27, 2026 - 19:48 vuln.today

Public exploit code

CVE Published

Jan 13, 2026 - 23:15 nvd

MEDIUM 6.5

DescriptionCVE.org

Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.

AnalysisAI

Geonetwork versions up to 4.2.0 is affected by improper restriction of xml external entity reference (CVSS 6.5).

Technical ContextAI

This vulnerability (CWE-611: Improper Restriction of XML External Entity Reference) exists in the baseURL component. Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2022-50899 vulnerability details – vuln.today

Back

Geonetwork CVE-2022-50899

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code