CVE-2026-27639

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.4 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N                                    

Vulnerability Description

Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives (`{!! !!}`) in display templates. An authenticated user with the User role can inject arbitrary JavaScript payloads into fields such as "contact point" when creating or editing entities. The payload is then executed in the browser of any user who views the affected page, including administrators. Version 2026.02.22 fixes the vulnerability.

Vulnerability Details

Published Date

February 25, 2026

Last Modified

February 27, 2026

CWE ID

CWE-79

Source

NVD

Vendor

dbarzin

Product

mercator

External References

https://github.com/dbarzin/mercator/commit/839d231399944e43a865198262e96e0218252cc3
https://github.com/dbarzin/mercator/commit/9902ffd91f287e474729f514c77261f4ef7db8fe
https://github.com/dbarzin/mercator/commit/c58bb1d2fff18605c61d93cfaf77adca416c560a
https://github.com/dbarzin/mercator/security/advisories/GHSA-65p7-pph2-966g

CVE-2026-27639

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment