CVE-2022-50899

MEDIUM 6.5

Geonetwork 4.2.0 - XML External Entity (XXE)

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.

CWE	CWE-611
Vendor	geonetwork
Product	geonetwork
Published	Jan 13, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for geonetwork geonetwork

Be the first to know when new medium vulnerabilities affecting geonetwork geonetwork are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

GeoNetwork / GeoNetwork

3.10 ≤ 4.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/50982 geonetwork-opensource.org: https://geonetwork-opensource.org/ vulncheck.com: https://www.vulncheck.com/advisories/geonetwork-xml-external-entity-xxe

Credits

Amel BOUZIANE-LEBLOND