Description
A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.



This issue was verified in MAP+: 3.4.0.
Published: 2026-02-06
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting that executes arbitrarily code in a victim’s browser when a crafted PDF export link is visited
Action: Patch promptly
AI Analysis

Impact

The flaw is a reflected cross‑site scripting vulnerability in the PDF export endpoint of TYDAC AG MAP+. The endpoint’s error response reflects user‑supplied input without proper encoding, allowing an attacker to embed malicious JavaScript in a URL that, when visited by a user, runs in the victim’s browser context. This can lead to session hijacking, defacement, or execution of further malicious actions within the victim’s session. The weakness is a classic reflected XSS, classified as CWE‑79.

Affected Systems

TYDAC AG MAP+ versions 3.4.0 is confirmed vulnerable. No other versions were explicitly listed in the advisory, so only this release should be considered affected for now.

Risk and Exploitability

The CVSS base score of 5.6 reflects moderate impact, primarily because exploitation requires the victim to click a malicious link. The EPSS score of less than 1% indicates a low likelihood of widespread exploitation at this time. The issue is not listed in the CISA KEV catalog. Exploitation is possible without authentication; an attacker simply distributes a crafted link via phishing, social engineering, or embedding in a victim‑targeted page. The impact is limited to the victim’s browser session and any data accessed within that session.

Generated by OpenCVE AI on April 18, 2026 at 13:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch for MAP+ that removes the unencoded error response in the PDF export functionality.
  • If a patch is not yet available, configure the application firewall or web server to block requests to the PDF export endpoint that contain script fragments or otherwise block all PDF export functionality in trusted environments.
  • Introduce web application safeguards such as a content‑security‑policy header and server‑side escaping of all output rendered in error messages, ensuring that future similar oversights do not result in reflected XSS.

Generated by OpenCVE AI on April 18, 2026 at 13:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Tydac
Tydac map\+
CPEs cpe:2.3:a:tydac:map\+:3.4.0:*:*:*:*:*:*:*
Vendors & Products Tydac
Tydac map\+
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Tydac Ag
Tydac Ag map+
Vendors & Products Tydac Ag
Tydac Ag map+

Fri, 06 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 06:30:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker. This issue was verified in MAP+: 3.4.0.
Title Reflected Cross-Site Scripting in PDF Export Error Message
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tydac Map\+
Tydac Ag Map+
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-02-06T15:22:50.179Z

Reserved: 2025-12-17T08:22:37.425Z

Link: CVE-2026-0521

cve-icon Vulnrichment

Updated: 2026-02-06T15:22:36.225Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T07:16:11.353

Modified: 2026-02-18T17:43:20.867

Link: CVE-2026-0521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses