Mercator
CVE-2026-27639
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives ({!! !!}) in display templates. An authenticated user with the User role can inject arbitrary JavaScript payloads into fields such as "contact point" when creating or editing entities. The payload is then executed in the browser of any user who views the affected page, including administrators. Version 2026.02.22 fixes the vulnerability.
AnalysisAI
Stored XSS in Mercator prior to version 2026.02.22 allows authenticated users to execute arbitrary JavaScript in other users' browsers by injecting malicious payloads into entity fields like contact points. The vulnerability exploits improperly escaped Blade template directives, enabling attackers to compromise administrator accounts and perform actions with their privileges. A patch is available in version 2026.02.22.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Mercator. Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives ({!! !!}) in display templates. An authenticated user with the User role can inject arbitrary JavaScript payloads into fields such as "contact point" when creating or editing entities. The payload is then executed in the browser of any user who views the affecte
RemediationAI
A vendor patch is available — apply it immediately. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
Authorization bypass in Mercator information system mapping application prior to version 2025.05.19 allows any authentic
Server-Side Request Forgery in Mercator's CVE configuration panel allows authenticated users holding the low-privilege '
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today