VulnerableCode Package Details - pkg:pypi/geonode@4.1.3.post1

Search for packages

Vulnerability	Summary	Fixed by
VCID-3112-xnvn-gyen Aliases: CVE-2026-39922 GHSA-hw9r-6m78-w6h3 PYSEC-2026-61	GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.	4.4.5 Affected by 0 other vulnerabilities. 5.0.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-3112-xnvn-gyen
Aliases:
CVE-2026-39922
GHSA-hw9r-6m78-w6h3
PYSEC-2026-61

GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.

4.4.5
Affected by 0 other vulnerabilities.

5.0.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7wnw-ep9n-17ep	GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. A SSRF vulnerability exists starting in version 3.2.0, bypassing existing controls on the software. This can allow a user to request internal services for a full read SSRF, returning any data from the internal network. The application is using a whitelist, but the whitelist can be bypassed. The bypass will trick the application that the first host is a whitelisted address, but the browser will use `@` or `%40` as a credential to the host geoserver on port 8080, this will return the data to that host on the response. As of time of publication, no patched version is available.	CVE-2023-42439 GHSA-pxg5-h34r-7q8p PYSEC-2023-176

Vulnerability

Summary

Aliases

VCID-7wnw-ep9n-17ep

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. A SSRF vulnerability exists starting in version 3.2.0, bypassing existing controls on the software. This can allow a user to request internal services for a full read SSRF, returning any data from the internal network. The application is using a whitelist, but the whitelist can be bypassed. The bypass will trick the application that the first host is a whitelisted address, but the browser will use `@` or `%40` as a credential to the host geoserver on port 8080, this will return the data to that host on the response. As of time of publication, no patched version is available.

CVE-2023-42439
GHSA-pxg5-h34r-7q8p
PYSEC-2023-176

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:45:50.832272+00:00	GitLab Importer	Fixing	VCID-7wnw-ep9n-17ep	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/GeoNode/CVE-2023-42439.yml	38.6.0
2026-06-02T04:24:46.336068+00:00	Pypa Importer	Affected by	VCID-3112-xnvn-gyen	https://github.com/pypa/advisory-database/blob/main/vulns/geonode/PYSEC-2026-61.yaml	38.6.0

2026-06-02T04:45:50.832272+00:00

GitLab Importer

Fixing

VCID-7wnw-ep9n-17ep

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/GeoNode/CVE-2023-42439.yml

38.6.0

2026-06-02T04:24:46.336068+00:00

Pypa Importer

Affected by

VCID-3112-xnvn-gyen

https://github.com/pypa/advisory-database/blob/main/vulns/geonode/PYSEC-2026-61.yaml

38.6.0

Next non-vulnerable version	4.4.5
Latest non-vulnerable version	5.0.2
Risk