8.5

CVE-2026-27639

Mercator vulnerable to stored XSS via unescaped Blade directives in display templates

Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives (`{!! !!}`) in display templates. An authenticated user with the User role can inject arbitrary JavaScript payloads into fields such as "contact point" when creating or editing entities. The payload is then executed in the browser of any user who views the affected page, including administrators. Version 2026.02.22 fixes the vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SourcentisMercator Version < 2026.02.22
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.28% 0.194
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.3 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 8.5 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/dbarzin/mercator/commit/839d231399944e43a865198262e96e0218252cc3
Patch
https://github.com/dbarzin/mercator/commit/9902ffd91f287e474729f514c77261f4ef7db8fe
Patch
https://github.com/dbarzin/mercator/commit/c58bb1d2fff18605c61d93cfaf77adca416c560a
Patch
https://github.com/dbarzin/mercator/security/advisories/GHSA-65p7-pph2-966g
Vendor Advisory
Mitigation