Vendor
high
advisory
GeoNetwork Reflected XSS through Client-Side Template Injection (CVE-2026-39379)
1 rule 4 TTPsA reflected Cross-Site Scripting (XSS) vulnerability, CVE-2026-39379, exists in GeoNetwork due to client-side template injection within error pages, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript to execute in their browser in the context of their authenticated session.
GeoNetwork +3
xss
web-vulnerability
client-side-injection
angularjs
ghsa
webserver
1r
4t
high
advisory
GeoNetwork ACL Bypass in Elasticsearch Search (CVE-2026-46487)
3 TTPsA high-severity authorization bypass vulnerability, CVE-2026-46487, in GeoNetwork's Elasticsearch-backed search API allows unauthenticated attackers to retrieve restricted metadata records by bypassing access control and visibility filters when the request body omits the 'query' field, leading to sensitive information disclosure.
GeoNetwork +2
authorization-bypass
information-disclosure
web-vulnerability
elasticsearch
ghsa
3t