CVE-2026-27639

HIGH EPSS 19.7%
Published Feb 25, 20264mo ago · Modified Jun 17, 20262w ago
8.5 CVSS 4.0
High
Find Similar
Published Feb 25, 2026 4mo ago
Last Modified Jun 17, 2026 2w ago

Description

Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives (`{!! !!}`) in display templates. An authenticated user with the User role can inject arbitrary JavaScript payloads into fields such as "contact point" when creating or editing entities. The payload is then executed in the browser of any user who views the affected page, including administrators. Version 2026.02.22 fixes the vulnerability.

CVSS Details

Base Score
8.5
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
19.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
sourcentismercator* <2026.02.22

References 4

  • github.com https://github.com/dbarzin/mercator/commit/839d231399944e43a865198262e96e0218252cc3
    Patch
  • github.com https://github.com/dbarzin/mercator/commit/9902ffd91f287e474729f514c77261f4ef7db8fe
    Patch
  • github.com https://github.com/dbarzin/mercator/commit/c58bb1d2fff18605c61d93cfaf77adca416c560a
    Patch
  • github.com https://github.com/dbarzin/mercator/security/advisories/GHSA-65p7-pph2-966g
    MitigationVendor Advisory

Remediation

  • github.com https://github.com/dbarzin/mercator/commit/839d231399944e43a865198262e96e0218252cc3
    Patch
  • github.com https://github.com/dbarzin/mercator/commit/9902ffd91f287e474729f514c77261f4ef7db8fe
    Patch
  • github.com https://github.com/dbarzin/mercator/commit/c58bb1d2fff18605c61d93cfaf77adca416c560a
    Patch