Home

Description

Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.

PUBLISHED Reserved 2026-01-10 | Published 2026-01-13 | Updated 2026-01-14 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

Improper Restriction of XML External Entity Reference

Product status

3.10 (semver)
affected

Credits

Amel BOUZIANE-LEBLOND finder

References

www.exploit-db.com/exploits/50982 (ExploitDB-50982) exploit

geonetwork-opensource.org/ (GeoNetwork Official Homepage) product

www.vulncheck.com/...ries/geonetwork-xml-external-entity-xxe (VulnCheck Advisory: Geonetwork 4.2.0 - XML External Entity (XXE)) third-party-advisory

cve.org (CVE-2022-50899)

nvd.nist.gov (CVE-2022-50899)

Download JSON