{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/geonetwork/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GeoNetwork (3.0.0-3.12.12)","GeoNetwork (4.0.0-alpha.1-4.0.6)","GeoNetwork (4.2.0-4.2.14)","GeoNetwork (4.4.0-4.4.9)"],"_cs_severities":["high"],"_cs_tags":["xss","web-vulnerability","client-side-injection","angularjs","ghsa","webserver"],"_cs_type":"advisory","_cs_vendors":["GeoNetwork"],"content_html":"\u003cp\u003eA critical reflected Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-39379, has been identified in GeoNetwork, an open-source geospatial metadata catalog. This flaw stems from improper neutralization of user-controlled input in error pages, which are built using AngularJS. When a user requests a non-existent or unauthorized service URL, GeoNetwork reflects parts of the original request directly into the error page without adequate sanitization. Since this page is an AngularJS application, an attacker can embed client-side template expressions (e.g., \u003ccode\u003e{{...}}\u003c/code\u003e) within the malicious URL. Upon rendering in the victim's browser, these expressions are evaluated, leading to the execution of arbitrary JavaScript. This vulnerability affects GeoNetwork versions 3.0.0 through 3.12.12, 4.0.0-alpha.1 through 4.0.6, 4.2.0 through 4.2.14, and 4.4.0 through 4.4.9. GeoNetwork 3.x and 4.0.x lines are no longer maintained and will not receive patches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCraft Malicious URL\u003c/strong\u003e: The attacker crafts a specific URL that targets a non-existent or unauthorized GeoNetwork service endpoint, embedding client-side template injection payloads (e.g., \u003ccode\u003e{{expression}}\u003c/code\u003e) within the path or query parameters.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePhishing Delivery\u003c/strong\u003e: The attacker delivers this crafted malicious URL to a victim, typically via social engineering tactics such as phishing emails, instant messages, or compromised web pages, enticing the victim to click the link.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVictim Request\u003c/strong\u003e: The victim, interacting with the lure, clicks the malicious URL, causing their web browser to send an HTTP GET request containing the embedded payload to the vulnerable GeoNetwork server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eServer Error Response\u003c/strong\u003e: The GeoNetwork server processes the request for the invalid service. Due to its design, it generates an AngularJS-based error page that reflects portions of the original, unsanitized request URL back to the client.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eClient-Side Template Evaluation\u003c/strong\u003e: When the victim's browser receives and renders the error page, the AngularJS framework identifies the reflected attacker-controlled content as a template expression. It then evaluates this expression.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary JavaScript Execution\u003c/strong\u003e: The evaluation of the template expression results in the execution of the attacker's arbitrary JavaScript code within the context of the victim's browser.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact on Authenticated Session\u003c/strong\u003e: The malicious JavaScript executes with the same permissions and within the same authenticated session as the victim user, potentially allowing for session hijacking, data exfiltration from GeoNetwork, or performing unauthorized actions on the victim's behalf.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFurther Exploitation\u003c/strong\u003e: The attacker leverages the executed JavaScript to achieve their objective, which could include redirecting the user to a fake login page for credential harvesting or initiating further attacks against the GeoNetwork instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39379 allows an attacker to execute arbitrary JavaScript code within the victim's browser. This code runs in the context of the victim's authenticated session, enabling severe consequences such as session hijacking, unauthorized data exfiltration from the GeoNetwork instance, or performing actions on the victim's behalf, including modifying content or changing configurations if the victim is an administrator. Additionally, attackers could inject fake login forms or malicious content to harvest credentials or spread malware. GeoNetwork versions 3.x and 4.0.x are particularly at risk as they are archived and will not receive official fixes, necessitating immediate upgrades for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-39379 immediately by upgrading GeoNetwork to a fixed version (4.2.15 or later, or 4.4.10 or later).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-39379 Exploitation - GeoNetwork Reflected XSS Attempt\u0026quot; to your SIEM to identify attempts at client-side template injection via web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:45:55Z","date_published":"2026-07-03T12:45:55Z","id":"https://feed.craftedsignal.io/briefs/2026-07-geonetwork-xss/","summary":"A reflected Cross-Site Scripting (XSS) vulnerability, CVE-2026-39379, exists in GeoNetwork due to client-side template injection within error pages, allowing an attacker to craft a URL that, when visited by a victim, causes arbitrary JavaScript to execute in their browser in the context of their authenticated session.","title":"GeoNetwork Reflected XSS through Client-Side Template Injection (CVE-2026-39379)","url":"https://feed.craftedsignal.io/briefs/2026-07-geonetwork-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GeoNetwork (4.0.0-alpha.1 - 4.0.6-0)","GeoNetwork (4.2.0 - 4.2.15)","GeoNetwork (4.4.0 - 4.4.10-0)"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","information-disclosure","web-vulnerability","elasticsearch","geonetwork","ghsa"],"_cs_type":"advisory","_cs_vendors":["GeoNetwork"],"content_html":"\u003cp\u003eA significant authorization bypass vulnerability (CVE-2026-46487) has been identified in GeoNetwork's search API, affecting all public-facing GeoNetwork 4.x instances from version 4.0.0-alpha.1 through 4.4.10. This flaw lies within the search proxy layer, which is designed to inject access-control and visibility filters into every request before it reaches the underlying Elasticsearch index. However, under specific conditions where the client-supplied search request intentionally omits the 'query' field, this critical filtering step is skipped. As a result, an unauthenticated attacker can retrieve indexed metadata records that should be restricted, including group-specific data, draft records, and information requiring ownership checks, leading to significant information disclosure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP POST request to a public-facing GeoNetwork instance's Elasticsearch-backed search API endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker constructs a malformed JSON request body for the Elasticsearch search, intentionally omitting the \u003ccode\u003equery\u003c/code\u003e field, while potentially including other search parameters.\u003c/li\u003e\n\u003cli\u003eThe GeoNetwork search proxy layer, responsible for injecting access-control and visibility filters, fails to apply these restrictions because the \u003ccode\u003equery\u003c/code\u003e field is absent from the request.\u003c/li\u003e\n\u003cli\u003eThe unfiltered request is forwarded to the backend Elasticsearch index without the intended authorization checks for group-based visibility, draft record exclusion, or ownership.\u003c/li\u003e\n\u003cli\u003eElasticsearch executes the search query as received and returns all matching metadata records, irrespective of their access control settings.\u003c/li\u003e\n\u003cli\u003eThe unauthenticated attacker receives the full contents of metadata records that should have been restricted, resulting in sensitive information disclosure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability (CWE-862: Missing Authorization) leads to unauthorized information disclosure, allowing unauthenticated attackers to access sensitive metadata records. The skipped filter step is responsible for enforcing multiple layers of access control, including group-based record visibility, exclusion of draft records, and ownership verification. Consequently, any public-facing GeoNetwork 4.x instance (versions 4.0.0-alpha.1 through 4.4.10) is vulnerable to an attacker retrieving the full content of metadata that should not be publicly visible, potentially exposing internal project details, draft documents, or data restricted to specific user groups.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch affected GeoNetwork instances immediately to a version that addresses CVE-2026-46487.\u003c/li\u003e\n\u003cli\u003eReview web server access logs and GeoNetwork application logs for suspicious HTTP POST requests to the search API that may omit the \u003ccode\u003equery\u003c/code\u003e field, particularly from unknown or untrusted IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:44:38Z","date_published":"2026-07-03T12:44:38Z","id":"https://feed.craftedsignal.io/briefs/2026-07-geonetwork-acl-bypass/","summary":"A high-severity authorization bypass vulnerability, CVE-2026-46487, in GeoNetwork's Elasticsearch-backed search API allows unauthenticated attackers to retrieve restricted metadata records by bypassing access control and visibility filters when the request body omits the 'query' field, leading to sensitive information disclosure.","title":"GeoNetwork ACL Bypass in Elasticsearch Search (CVE-2026-46487)","url":"https://feed.craftedsignal.io/briefs/2026-07-geonetwork-acl-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - GeoNetwork","version":"https://jsonfeed.org/version/1.1"}