GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation.
This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files
GeoNetwork 4.4.8 / 4.2.13.
Remove the gn-wfsfeature-harvester
and gn-camelPeriodicProducer
jars, disabling the WFS Index functionality.
{ "nvd_published_at": null, "severity": "HIGH", "github_reviewed_at": "2025-06-10T20:10:42Z", "github_reviewed": true, "cwe_ids": [ "CWE-611", "CWE-918" ] }