CVE-2022-50899

MEDIUM

Geonetwork 3.10-4.2.0 - SSRF

Title source: llm

Description

Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.

Exploits (1)

exploitdb WORKING POC

by Amel BOUZIANE-LEBLOND · textwebappsmultiple

https://www.exploit-db.com/exploits/50982

View Code ZIP pw:eip

References (3)

[Various Sources] https://geonetwork-opensource.org/

[Third Party Advisory] https://www.vulncheck.com/advisories/geonetwork-xml-external-entity-xxe

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/50982

Scores

CVSS v3 6.5

EPSS 0.0005

EPSS Percentile 14.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-611

Status published

Affected Products (1)

osgeo/geonetwork < 4.2.0

Timeline

Published Jan 13, 2026

Tracked Since Feb 18, 2026