CVE-2022-50899

MEDIUM
2026-01-13 [email protected]
6.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Feb 27, 2026 - 19:48 vuln.today
Public exploit code
CVE Published
Jan 13, 2026 - 23:15 nvd
MEDIUM 6.5

Tags

XXE Geonetwork

Description

Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.

Analysis

Geonetwork versions up to 4.2.0 is affected by improper restriction of xml external entity reference (CVSS 6.5).

Technical Context

This vulnerability (CWE-611: Improper Restriction of XML External Entity Reference) exists in the baseURL component. Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.

Affected Products

Vendor: Osgeo. Product: Geonetwork. Versions: up to 4.2.0. Component: baseURL.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

53
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: +20

Share

CVE-2022-50899 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy