{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39921", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-07T20:57:06.210Z", "datePublished": "2026-04-10T19:52:49.924Z", "dateUpdated": "2026-05-08T14:08:23.599Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-08T14:08:23.599Z"}, "title": "GeoNode < 4.4.5, 5.0.2 SSRF via Document Upload", "descriptions": [{"lang": "en", "value": "GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation."}], "datePublic": "2026-04-10T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "affected": [{"vendor": "GeoNode", "product": "GeoNode", "repo": "https://github.com/GeoNode/geonode", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.4.5", "versionType": "semver"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L"}}], "references": [{"url": "https://github.com/GeoNode/geonode/releases/tag/5.0.2", "tags": ["release-notes", "patch"]}, {"url": "https://github.com/GeoNode/geonode/releases/tag/4.4.5", "tags": ["release-notes", "patch"]}, {"url": "https://github.com/GeoNode/geonode/pull/14058", "tags": ["issue-tracking"]}, {"url": "https://github.com/GeoNode/geonode/commit/9856cb5ab27e33c0adba9274f4cccf6d1f534bd1", "tags": ["patch"]}, {"url": "https://github.com/GeoNode/geonode/commit/4a852cfc1da732b10779b5bf5f087c8f02985571", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/geonode-ssrf-via-document-upload", "tags": ["third-party-advisory"]}], "credits": [{"lang": "en", "value": "Elure (Marasescu Mihnea-Luca)", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T12:29:38.130409Z", "id": "CVE-2026-39921", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:29:50.218Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39921", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T12:29:38.130409Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T12:29:45.449Z"}}], "cna": {"title": "GeoNode < 4.4.5, 5.0.2 SSRF via Document Upload", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Elure (Marasescu Mihnea-Luca)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/GeoNode/geonode", "vendor": "GeoNode", "product": "GeoNode", "versions": [{"status": "affected", "version": "4.0.0", "lessThan": "4.4.5", "versionType": "semver"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-10T00:00:00.000Z", "references": [{"url": "https://github.com/GeoNode/geonode/releases/tag/5.0.2", "tags": ["release-notes", "patch"]}, {"url": "https://github.com/GeoNode/geonode/releases/tag/4.4.5", "tags": ["release-notes", "patch"]}, {"url": "https://github.com/GeoNode/geonode/pull/14058", "tags": ["issue-tracking"]}, {"url": "https://github.com/GeoNode/geonode/commit/9856cb5ab27e33c0adba9274f4cccf6d1f534bd1", "tags": ["patch"]}, {"url": "https://github.com/GeoNode/geonode/commit/4a852cfc1da732b10779b5bf5f087c8f02985571", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/geonode-ssrf-via-document-upload", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-08T14:08:23.599Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39921", "state": "PUBLISHED", "dateUpdated": "2026-05-08T14:08:23.599Z", "dateReserved": "2026-04-07T20:57:06.210Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-10T19:52:49.924Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:geosolutionsgroup:geonode:*:*:*:*:*:*:*:*", "matchCriteriaId": "63411221-3957-4534-967C-B76A963F1A8B", "versionEndExcluding": "4.4.5", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:geosolutionsgroup:geonode:*:*:*:*:*:*:*:*", "matchCriteriaId": "D170633C-B353-4CEA-A77E-3477016B5B98", "versionEndExcluding": "5.0.2", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation."}], "id": "CVE-2026-39921", "lastModified": "2026-04-16T01:16:09.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-10T20:16:22.083", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/GeoNode/geonode/commit/4a852cfc1da732b10779b5bf5f087c8f02985571"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/GeoNode/geonode/commit/9856cb5ab27e33c0adba9274f4cccf6d1f534bd1"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/GeoNode/geonode/pull/14058"}, {"source": "disclosure@vulncheck.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/GeoNode/geonode/releases/tag/4.4.5"}, {"source": "disclosure@vulncheck.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/GeoNode/geonode/releases/tag/5.0.2"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/geonode-ssrf-via-document-upload"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.0,4.4.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[5.0,5.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "GeoNode", "source": "cna", "vendor": "GeoNode"}, "product": "geonode", "vendor": "geonode"}], "analysis": {"en": {"generated_at": "2026-04-10T21:50:36.726073+00:00", "value": {"mitigation_remediation": ["Upgrade GeoNode to version 4.4.5 or later, or to version 5.0.2 or later to fully address the SSRF vulnerability."], "summary": {"action": "Immediate Patch", "impact": "Authenticated internal SSRF allowing outbound HTTP requests to internal resources"}, "threat_synthesis": {"affected_systems": "The affected product is GeoNode, released in two main series: version 4.x (from 4.0 through 4.4.4) and version 5.x (from 5.0 through 5.0.1). All earlier releases in these ranges are vulnerable until a patch is applied.", "description_and_impact": "GeoNode versions 4.0 up to 4.4.4 and 5.0 up to 5.0.1 contain a server\u2011side request forgery flaw in the document upload feature. An authenticated user with upload permissions can supply a malicious URL via the doc_url parameter, causing the server to perform an HTTP request to any address supplied, including internal network targets, loopback, RFC1918 addresses, or cloud metadata services. The vulnerability permits information disclosure and could be used to mount further attacks against internal services. The weakness is classified as CWE\u2011918.", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity. Exploitation requires the attacker to be an authenticated user with document upload rights; there is no mention of privilege escalation or external access. EPSS data is not available, and the flaw is not listed in CISA\u2019s KEV catalog, suggesting that widespread exploitation is unlikely but not impossible. Because the affected systems can reach internal network resources, the risk to the internal network is moderate, warranting prompt attention."}}}}, "created": "2026-04-13T12:42:37.347383+00:00", "updated": "2026-04-13T12:57:24.707356+00:00", "vendors": ["geonode", "geonode$PRODUCT$geonode"]}