CVE-2026-39921— GeoNode < 4.4.5, 5.0.2 SSRF via Document Upload

GeoNode < 4.4.5, 5.0.2 SSRF via Document Upload

GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation.

N/A

服务端请求伪造(SSRF)

GeoNode 代码问题漏洞

GeoNode是一个开源平台，可促进地理空间数据的创建、共享和协作使用。 GeoNode 4.4.5之前版本和5.0.2之前版本存在代码问题漏洞，该漏洞源于doc_url参数验证不足，可能导致服务端请求伪造攻击。

N/A

N/A