CVE-2022-50899 HIGH

CVE-2022-50899: Geonetwork 4.2.0 - XML External Entity (XXE)

Vendor Geonetwork
Product GeoNetwork
Weakness CWE-611 · XXE
Published January 13, 2026
Last update May 14, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.

Key dates

02Disclosure timeline

January 13, 2026 CVE published
May 14, 2026 Record updated