Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint exploitable by any authenticated user (PR:L) with no user interaction; only confidentiality is impacted (read-only Query Engine exposing User data and password hashes).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (/admin/queries/execute) accepts a JSON DSL (from / select / filters / traverse / output), translates it into an Eloquent query, and returns results as JSON. The controller method QueryController::execute() does not enforce an authorization gate, unlike store() and massDestroy() in the same controller which are correctly protected. As a result, any authenticated account - including the read-only Auditor role - can query models beyond its intended scope, including the User model. Additionally, the password column, although declared $hidden, is not excluded from filter predicates, which allows it to be used in LIKE conditions. The schema() and schemaModel() endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.
AnalysisAI
Authorization bypass in Mercator information system mapping application prior to version 2025.05.19 allows any authenticated user - including the read-only Auditor role - to query arbitrary Eloquent models via the unprotected /admin/queries/execute endpoint. The flaw permits enumeration of the User model and even allows the supposedly $hidden password column to be probed via LIKE filter predicates, enabling blind extraction of password hashes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) a valid authenticated session on the target Mercator instance - any role suffices, including the read-only Auditor role, because the `QueryController::execute()` method has no role/permission gate; (2) network reachability to the `/admin/queries/execute` endpoint (and `/admin/queries/schema`, `/admin/queries/schemaModel` for enumeration); (3) Mercator version prior to 2025.05.19. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) of 7.1 accurately reflects a network-reachable, low-complexity confidentiality-only flaw requiring low privileges - any authenticated account, including the explicitly read-only Auditor role, is sufficient. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any valid Mercator login (e.g. a compromised Auditor contractor account) sends a POST to `/admin/queries/execute` with a JSON DSL targeting `from: User`, then uses `filters` with `LIKE` patterns against the `password` column to extract the bcrypt hash one character at a time through blind oracle responses. … |
| Remediation | Vendor-released patch: upgrade Mercator to version 2025.05.19 or later, which adds the missing authorization gate to `QueryController::execute()`, `schema()`, and `schemaModel()` (see https://github.com/sourcentis/mercator/security/advisories/GHSA-q3r8-3h7c-96w3). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Review access logs and query audit logs for suspicious activity on the /admin/queries/execute endpoint, particularly from Auditor and read-only role accounts querying the User model; preserve logs for forensic analysis. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Server-Side Request Forgery in Mercator's CVE configuration panel allows authenticated users holding the low-privilege '
Stored XSS in Mercator prior to version 2026.02.22 allows authenticated users to execute arbitrary JavaScript in other u
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38071