Skip to main content

Vertigis Fm CVE-2026-3877

| EUVDEUVD-2026-17883 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-01 NCSC.ch GHSA-mc25-w9g7-hq9v
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:09 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
10.13.403
EUVD ID Assigned
Apr 01, 2026 - 13:30 euvd
EUVD-2026-17883
Analysis Generated
Apr 01, 2026 - 13:30 vuln.today
CVE Published
Apr 01, 2026 - 13:12 nvd
HIGH 7.3

DescriptionCVE.org

A reflected cross-site scripting (XSS) vulnerability in the dashboard search functionality of the VertiGIS FM solution allows attackers to craft a malicious URL, that if visited by an authenticated victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.

AnalysisAI

Reflected cross-site scripting in VertiGIS FM dashboard search functionality allows authenticated attackers to execute arbitrary JavaScript in victim browsers through malicious URLs. The vulnerability affects VertiGIS FM across versions and requires user interaction (victim clicking a crafted link), but provides no authentication bypass-victims must already be logged into the application. CVSS score is not available; exploitation requires victim interaction and authentication context.

Technical ContextAI

The vulnerability is a reflected XSS (CWE-79: Improper Neutralization of Input During Web Page Generation) in the dashboard search feature of VertiGIS FM, a geospatial information management platform. The search functionality fails to properly sanitize or encode user-supplied input from URL parameters before rendering it in the HTML response. When an authenticated user visits a malicious URL crafted by an attacker, unsanitized search parameters are reflected directly into the page DOM, allowing JavaScript execution within the victim's browser session. This occurs in the application's client-side rendering context where the victim's authentication token and session cookies remain accessible to the injected script.

RemediationAI

Contact VertiGIS and NCSC.ch for specific patched version guidance, as no exact vendor patch version is confirmed in the available data. Organizations should immediately audit deployed VertiGIS FM instances for version confirmation and monitor official VertiGIS security advisories for a released patch. As interim mitigation, restrict access to VertiGIS FM dashboards to trusted networks via firewall or VPN, educate users to avoid clicking suspicious links referencing VertiGIS FM, and consider deploying a Web Application Firewall (WAF) with XSS filtering rules if applicable to the deployment. The advisory from https://www.redguard.ch/blog/2026/04/01/advisory-vertigis-vertigisfm/ and coordination with NCSC.ch should provide additional guidance on patch timelines.

Share

CVE-2026-3877 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy