Lookup for vulnerable packages by Package URL.
| Purl | pkg:pypi/geonode@5.0.2 |
|---|
| Type | pypi |
|---|
| Namespace | |
|---|
| Name | geonode |
|---|
| Version | 5.0.2 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | false |
|---|
| Next_non_vulnerable_version | null |
|---|
| Latest_non_vulnerable_version | null |
|---|
| Affected_by_vulnerabilities |
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-3112-xnvn-gyen |
| vulnerability_id |
VCID-3112-xnvn-gyen |
| summary |
GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-39922, GHSA-hw9r-6m78-w6h3, PYSEC-2026-61
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3112-xnvn-gyen |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:pypi/geonode@5.0.2 |
|---|