GeoNetwork CVE-2026-39379
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Reflected XSS is network-borne and easy but needs victim click (UI:R); browser-context execution escapes the server's security scope (S:C) with limited confidentiality/integrity impact and no availability effect.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Summary
It is possible to craft a URL that causes GeoNetwork to reflect attacker-controlled content into an error page in a way that gets evaluated as a client-side template expression. Combined with known AngularJS sandbox-escape techniques, this can be used to execute arbitrary JavaScript in the victim's browser (reflected Cross-Site Scripting via client-side template injection).
Details
When a user requests a service URL that does not exist or that they are not authorized to access, GeoNetwork shows an error page that reflects part of the original request back to the user without adequately neutralizing it for the context it is rendered in. Because this error page is an AngularJS application, attacker-controlled content in the reflected value can be interpreted as a template expression and evaluated once the page loads in the victim's browser, rather than being displayed as inert text.
Impact
An attacker can trick a user (including an administrator) into visiting a crafted link. The resulting script execution runs in the context of the victim's authenticated session and can be used to exfiltrate information or perform actions on the victim's behalf. For example, an attacker could inject a fake login form that looks identical to the legitimate GeoNetwork login page to harvest credentials.
GeoNetwork 3.x and 4.0.x are archived/unmaintained and will not receive a fix for this issue. Instances running those lines should upgrade to a supported release (4.2.15 or later, or 4.4.10 or later).
AnalysisAI
Reflected cross-site scripting in GeoNetwork lets a remote attacker run arbitrary JavaScript in a victim's authenticated session by luring them to a crafted service URL. Because the not-found/unauthorized error page is an AngularJS application, attacker-controlled request content reflected into that page is evaluated as a client-side template expression (AngularJS sandbox escape) rather than shown as inert text. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to click an attacker-crafted URL (UI:R) that points to a service path which does not exist or which the user is not authorized to access - that error condition is what triggers rendering of the AngularJS error page into which the payload is reflected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N, base 7.1) marks this network-exploitable and unauthenticated, but gated by user interaction - the victim must click a crafted link, which meaningfully lowers real-world exploitability versus a fully unauthenticated server-side RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a link to a non-existent or unauthorized GeoNetwork service path containing a malicious AngularJS template expression and sends it to a logged-in administrator via email or chat. When the admin opens it, the error page evaluates the expression, running attacker JavaScript in their authenticated session - for example rendering a pixel-perfect fake login form to capture credentials or issuing catalog changes on their behalf. … |
| Remediation | Upgrade to a supported, fixed release: GeoNetwork 4.2.15 or later on the 4.2 line, or 4.4.10 or later on the 4.4 line, per advisory GHSA-2v4m-fw6c-g78f (https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2v4m-fw6c-g78f). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all GeoNetwork instances in production and confirm network exposure status; disable internet-facing access if possible and notify all authenticated users of the vulnerability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2v4m-fw6c-g78f