Skip to main content

GeoNetwork CVE-2026-39379

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 https://github.com/geonetwork/core-geonetwork GHSA-2v4m-fw6c-g78f
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
vuln.today AI
6.1 MEDIUM

Reflected XSS is network-borne and easy but needs victim click (UI:R); browser-context execution escapes the server's security scope (S:C) with limited confidentiality/integrity impact and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 18:20 vuln.today

DescriptionGitHub Advisory

Summary

It is possible to craft a URL that causes GeoNetwork to reflect attacker-controlled content into an error page in a way that gets evaluated as a client-side template expression. Combined with known AngularJS sandbox-escape techniques, this can be used to execute arbitrary JavaScript in the victim's browser (reflected Cross-Site Scripting via client-side template injection).

Details

When a user requests a service URL that does not exist or that they are not authorized to access, GeoNetwork shows an error page that reflects part of the original request back to the user without adequately neutralizing it for the context it is rendered in. Because this error page is an AngularJS application, attacker-controlled content in the reflected value can be interpreted as a template expression and evaluated once the page loads in the victim's browser, rather than being displayed as inert text.

Impact

An attacker can trick a user (including an administrator) into visiting a crafted link. The resulting script execution runs in the context of the victim's authenticated session and can be used to exfiltrate information or perform actions on the victim's behalf. For example, an attacker could inject a fake login form that looks identical to the legitimate GeoNetwork login page to harvest credentials.

GeoNetwork 3.x and 4.0.x are archived/unmaintained and will not receive a fix for this issue. Instances running those lines should upgrade to a supported release (4.2.15 or later, or 4.4.10 or later).

AnalysisAI

Reflected cross-site scripting in GeoNetwork lets a remote attacker run arbitrary JavaScript in a victim's authenticated session by luring them to a crafted service URL. Because the not-found/unauthorized error page is an AngularJS application, attacker-controlled request content reflected into that page is evaluated as a client-side template expression (AngularJS sandbox escape) rather than shown as inert text. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with AngularJS template payload
Delivery
Deliver crafted link to victim via phishing
Exploit
Victim requests invalid/unauthorized service path
Execution
Error page reflects and evaluates expression
Persist
Sandbox escape executes JavaScript in session
Impact
Harvest credentials or act as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to click an attacker-crafted URL (UI:R) that points to a service path which does not exist or which the user is not authorized to access - that error condition is what triggers rendering of the AngularJS error page into which the payload is reflected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N, base 7.1) marks this network-exploitable and unauthenticated, but gated by user interaction - the victim must click a crafted link, which meaningfully lowers real-world exploitability versus a fully unauthenticated server-side RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a link to a non-existent or unauthorized GeoNetwork service path containing a malicious AngularJS template expression and sends it to a logged-in administrator via email or chat. When the admin opens it, the error page evaluates the expression, running attacker JavaScript in their authenticated session - for example rendering a pixel-perfect fake login form to capture credentials or issuing catalog changes on their behalf. …
Remediation Upgrade to a supported, fixed release: GeoNetwork 4.2.15 or later on the 4.2 line, or 4.4.10 or later on the 4.4 line, per advisory GHSA-2v4m-fw6c-g78f (https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2v4m-fw6c-g78f). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all GeoNetwork instances in production and confirm network exposure status; disable internet-facing access if possible and notify all authenticated users of the vulnerability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39379 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy