VulnerableCode Package Details - pkg:pypi/geonode@4.0.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-3112-xnvn-gyen Aliases: CVE-2026-39922 GHSA-hw9r-6m78-w6h3 PYSEC-2026-61	GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.	4.4.5 Affected by 0 other vulnerabilities. 5.0.2 Affected by 0 other vulnerabilities.
VCID-kvfp-4b99-7ufe Aliases: CVE-2023-26043 GHSA-mcmc-c59m-pqq8 PYSEC-2023-15	GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been patched in version 4.0.3.	4.0.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-y7sz-snam-5ycz Aliases: CVE-2023-40017 GHSA-rmxg-6qqf-x8mr PYSEC-2023-269	GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint `/proxy/?url=` does not properly protect against server-side request forgery. This allows an attacker to port scan internal hosts and request information from internal hosts. A patch is available at commit a9eebae80cb362009660a1fd49e105e7cdb499b9.	4.1.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3112-xnvn-gyen
Aliases:
CVE-2026-39922
GHSA-hw9r-6m78-w6h3
PYSEC-2026-61

GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.

4.4.5
Affected by 0 other vulnerabilities.

5.0.2
Affected by 0 other vulnerabilities.

VCID-kvfp-4b99-7ufe
Aliases:
CVE-2023-26043
GHSA-mcmc-c59m-pqq8
PYSEC-2023-15

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been patched in version 4.0.3.

4.0.3
Affected by 2 other vulnerabilities.

VCID-y7sz-snam-5ycz
Aliases:
CVE-2023-40017
GHSA-rmxg-6qqf-x8mr
PYSEC-2023-269

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint `/proxy/?url=` does not properly protect against server-side request forgery. This allows an attacker to port scan internal hosts and request information from internal hosts. A patch is available at commit a9eebae80cb362009660a1fd49e105e7cdb499b9.

4.1.3
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:24:46.308947+00:00	Pypa Importer	Affected by	VCID-3112-xnvn-gyen	https://github.com/pypa/advisory-database/blob/main/vulns/geonode/PYSEC-2026-61.yaml	38.6.0
2026-06-02T04:19:24.681715+00:00	Pypa Importer	Affected by	VCID-y7sz-snam-5ycz	https://github.com/pypa/advisory-database/blob/main/vulns/geonode/PYSEC-2023-269.yaml	38.6.0
2026-06-02T04:18:25.566324+00:00	Pypa Importer	Affected by	VCID-kvfp-4b99-7ufe	https://github.com/pypa/advisory-database/blob/main/vulns/geonode/PYSEC-2023-15.yaml	38.6.0