Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A reflected cross-site scripting (XSS) vulnerability in the dashboard search functionality of the VertiGIS FM solution allows attackers to craft a malicious URL, that if visited by an authenticated victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.
AnalysisAI
Reflected cross-site scripting in VertiGIS FM dashboard search functionality allows authenticated attackers to execute arbitrary JavaScript in victim browsers through malicious URLs. The vulnerability affects VertiGIS FM across versions and requires user interaction (victim clicking a crafted link), but provides no authentication bypass-victims must already be logged into the application. CVSS score is not available; exploitation requires victim interaction and authentication context.
Technical ContextAI
The vulnerability is a reflected XSS (CWE-79: Improper Neutralization of Input During Web Page Generation) in the dashboard search feature of VertiGIS FM, a geospatial information management platform. The search functionality fails to properly sanitize or encode user-supplied input from URL parameters before rendering it in the HTML response. When an authenticated user visits a malicious URL crafted by an attacker, unsanitized search parameters are reflected directly into the page DOM, allowing JavaScript execution within the victim's browser session. This occurs in the application's client-side rendering context where the victim's authentication token and session cookies remain accessible to the injected script.
RemediationAI
Contact VertiGIS and NCSC.ch for specific patched version guidance, as no exact vendor patch version is confirmed in the available data. Organizations should immediately audit deployed VertiGIS FM instances for version confirmation and monitor official VertiGIS security advisories for a released patch. As interim mitigation, restrict access to VertiGIS FM dashboards to trusted networks via firewall or VPN, educate users to avoid clicking suspicious links referencing VertiGIS FM, and consider deploying a Web Application Firewall (WAF) with XSS filtering rules if applicable to the deployment. The advisory from https://www.redguard.ch/blog/2026/04/01/advisory-vertigis-vertigisfm/ and coordination with NCSC.ch should provide additional guidance on patch timelines.
More in Vertigis Fm
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17883
GHSA-mc25-w9g7-hq9v