Vulnerability DatabaseCVE-2026-39922
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-39922
Published:April 10, 2026
Updated:April 23, 2026
GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.
Affected Packages
GeoNode (PYTHON):
Affected version(s) >=5.0.0 <5.0.2
Fix Suggestion:
Update to version 5.0.2
GeoNode (PYTHON):
Affected version(s) >=4.0.0 <4.4.5
Fix Suggestion:
Update to version 4.4.5
Related ResourcesĀ (4)
https://github.com/GeoNode/geonode/releases/tag/4.4.5
https://github.com/GeoNode/geonode/releases/tag/5.0.2
https://github.com/GeoNode/geonode/security/advisories/GHSA-hw9r-6m78-w6h3
https://www.vulncheck.com/advisories/geonode-ssrf-via-service-registration
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
LOW
CVSS v3
Base Score:
6.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Server-Side Request Forgery (SSRF)
CWE-918
EPSS
Base Score:
0.04