Geonetwork 4.2.0 - XML External Entity (XXE) | Advisories

Advisories

Geonetwork 4.2.0 - XML External Entity (XXE)

severity: high
date: January 13, 2026
Affecting: GeoNetwork <= 4.2.0
CVE: CVE-2022-50899
CWE: CWE-611 Improper Restriction of XML External Entity Reference
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: ExploitDB-50982
GeoNetwork Official Homepage
Credit: Amel BOUZIANE-LEBLOND
Description: Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.