{"id":"CVE-2023-26043","summary":"XML External Entity (XXE) injection in GeoServer style upload functionality","details":"GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been patched in version 4.0.3.\n","aliases":["GHSA-mcmc-c59m-pqq8","PYSEC-2023-15"],"modified":"2026-05-28T03:54:56.575761439Z","published":"2023-02-27T20:37:28.684Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26043.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-611"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26043.json"},{"type":"ADVISORY","url":"https://github.com/GeoNode/geonode/security/advisories/GHSA-mcmc-c59m-pqq8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26043"},{"type":"FIX","url":"https://github.com/GeoNode/geonode/commit/2fdfe919f299b21f1609bf898f9dcfde58770ac0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/geonode/geonode","events":[{"introduced":"0"},{"fixed":"e66877a0bcd8b1e9278202e4e6fe7a4665517f12"}]}],"versions":["4.0.2","4.0.1","3.0","2.10.4","2.10.3","2.10rc5","debian/2.5.15+thefinal0","2.5.15","debian/2.5.14+thefinal0","2.5.14","debian/2.5.13+thefinal0","2.5.13","debian/2.5.12+thefinal0","2.5.12","debian/2.5.11+thefinal0","2.5.11","debian/2.5.10+thefinal0","2.5.10","debian/2.5.9+thefinal5","2.5.9+thefinal5","debian/2.5.9+thefinal4","2.5.9+thefinal4","debian/2.5.9+thefinal3","2.5.9+thefinal3","debian/2.5.9+thefinal2","2.5.9+thefinal2","debian/2.5.9+thefinal1","2.5.9+thefinal1","debian/2.5.9+thefinal0","2.5.9","debian/2.5.9+dev20170116091118","2.5.9.dev20170116091118","debian/2.5.7+thefinal0","2.5.7","debian/2.5.6+thefinal0","2.5.6","debian/2.5.5+thefinal0","2.5.5","debian/2.5.4+thefinal0","2.5.4","debian/2.5.3+thefinal0","2.5.3","debian/2.5.2+thefinal0","2.5.2","debian/2.5.1+thefinal0","2.5.1","debian/2.4.0+thefinal0","2.4","debian/2.4.0+rc4","2.4c4","debian/2.4.0+rc3","2.4c3","debian/2.4.0+beta17","2.4b17","debian/2.4.0+beta14","2.4b14","debian/2.4.0+beta13","2.4b13","debian/2.4.0+beta12","2.4b12","debian/2.4.0+beta11","2.4b11","debian/2.4.0+beta10","2.4b10","debian/2.4.0+beta9","2.4b9","debian/2.4.0+beta8","2.4b8","debian/2.4.0+beta7","2.4b7","debian/2.4.0+beta6","2.4b6","debian/2.4.0+alpha34","2.4a34","debian/2.4.0+alpha33","2.4a33","debian/2.4.0+alpha32","2.4a32","debian/2.4.0+alpha31","2.4a31","debian/2.4.0+alpha30","2.4a30","debian/2.4.0+alpha29","2.4a29","debian/2.4.0+alpha28","2.4a28","debian/2.4.0+alpha27","2.4a27","debian/2.4.0+alpha26","2.4a26","debian/2.4.0+alpha25","2.4a25","debian/2.4.0+alpha24","2.4a24","debian/2.4.0+alpha23","2.4a23","debian/2.4.0+alpha22","2.4a22","debian/2.4.0+alpha21","2.4a21","debian/2.4.0+alpha20","2.4a20","debian/2.4.0+alpha19","2.4a19","debian/2.4.0+alpha18","2.4a18","debian/2.4.0+dev20141024171719","2.4.dev20141024171719","debian/2.4.0+alpha17","2.4a17","debian/2.4.0+alpha16","2.4a16","debian/2.4.0+alpha14","2.4a14","debian/2.4.0+alpha15","2.4a15","debian/2.4.0+alpha13","2.4a13","debian/2.4.0+alpha12","2.4a12","debian/2.4.0+alpha11","2.4a11","debian/2.4.0+alpha10","2.4a10","debian/2.4.0+alpha9","2.4a9","debian/2.4.0+alpha8","2.4a8","debian/2.4.0+alpha7","2.4a7","debian/2.4.0+alpha4","2.4a4","debian/2.0.0+thefinal7","debian/2.0.0+thefinal6","debian/2.0.0+thefinal5","debian/2.0.0+thefinal4","debian/2.0.0+thefinal3","debian/2.0.0+thefinal2","debian/2.0.0+thefinal1","debian/2.0.0+thefinal0","2.0","debian/2.0.0+rc13","2.0c13","debian/2.0.0+rc12","2.0c12","debian/2.0.0+rc10","2.0c10","debian/2.0.0+rc6","2.0c6","debian/2.0.0+rc4","2.0c4","debian/2.0.0+rc2","2.0c2","debian/2.0.0+rc1","2.0c1","debian/2.0.0+beta64","2.0b64","debian/2.0.0+beta62","2.0b62","debian/2.0.0+beta61","2.0b61","debian/2.0b54","debian/2.0.0+beta54","2.0b54","debian/2.0.0+beta52","2.0b52","debian/2.0.0+beta48","2.0b48","debian/2.0.0+beta47","2.0b47","debian/2.0.0+beta45","2.0b45","debian/2.0.0+beta44","2.0b44","debian/2.0.0+beta28","2.0b28","debian/2.0.0+beta12","2.0b12","debian/2.0.0+beta11","2.0b11","1.1-RC1","1.1-beta2","1.1-beta","1.0-RC1","1.0-beta"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-26043.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}