PatchSiren

GeoNode CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM GeoNode CVE published 2026-04-10

CVE-2026-39922

CVE-2026-39922 is a server-side request forgery vulnerability in GeoNode versions 4.4.5 and 5.0.2. Authenticated attackers can trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. The vulnerability allows probing of internal network targets, including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services, [truncated]

MEDIUM GeoNode CVE published 2026-04-10

CVE-2026-39921

CVE-2026-39921 is a server-side request forgery vulnerability in GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2. The vulnerability allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. This can lead to unauthorized access to internal network targets, loopback addresses, [truncated]