EUVD-2026-21581
GHSA-v8f7-cg9p-w5jx
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.
Analysis
GeoNode 4.0 before 4.4.5 and 5.0 before 5.0.2 contains a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to probe internal networks, including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by submitting a crafted WMS service URL during form validation. The vulnerability exploits insufficient URL validation without private IP filtering or allowlist enforcement. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today