Description
Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives (`{!! !!}`) in display templates. An authenticated user with the User role can inject arbitrary JavaScript payloads into fields such as "contact point" when creating or editing entities. The payload is then executed in the browser of any user who views the affected page, including administrators. Version 2026.02.22 fixes the vulnerability.
Published: 2026-02-25
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Apply Patch
AI Analysis

Impact

Mercator is an open‑source mapping application that allows authenticated users to create and edit system entities. The vulnerability arises from the use of unescaped Blade directives (``{!! !!}``) in the display templates, which means that any JavaScript injected into a field such as "contact point" is rendered directly into the page without filtering. When an entity containing such a payload is viewed, the script runs in the browser of any user who opens the page, including administrators. This can lead to cookie theft, session hijacking, data exfiltration, or other malicious actions that compromise confidentiality and integrity. The weakness is classified as CWE‑79: Cross‑Site Scripting.

Affected Systems

The affected product is Mercator, released by dbarzin. All versions prior to 2026.02.22 contain the flaw; version 2026.02.22 and later contain the fix. No specific vendor product names beyond "Mercator" are listed.

Risk and Exploitability

The CVSS base score of 8.5 indicates a high severity vulnerability. The EPSS score of less than 1% suggests current exploitation probability is low, and the issue is not yet listed in the CISA KEV catalog. The attack vector is inferred to be malware injection by an authenticated user with the User role; this user can add malicious code to entities, which then propagates to every user who views the affected page. The high score and broad reach within the user community mean that this vulnerability poses a significant risk to affected deployments, especially where privileged users can create or edit entities.

Generated by OpenCVE AI on April 17, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mercator to version 2026.02.22 or later, which removes the unescaped Blade directives from all display templates.
  • After the upgrade, inspect the templates and configuration to confirm that no remaining use of ``{!! !!}`` exists, and enforce strict output escaping of all user‑supplied data.
  • Clean any stored payloads from existing entities by removing suspicious content from fields such as the contact point.
  • Conduct a code review or automated scan to identify any other potential unescaped Blade usage throughout the application.

Generated by OpenCVE AI on April 17, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Sourcentis
Sourcentis mercator
CPEs cpe:2.3:a:sourcentis:mercator:*:*:*:*:*:*:*:*
Vendors & Products Sourcentis
Sourcentis mercator
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Dbarzin
Dbarzin mercator
Vendors & Products Dbarzin
Dbarzin mercator

Wed, 25 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives (`{!! !!}`) in display templates. An authenticated user with the User role can inject arbitrary JavaScript payloads into fields such as "contact point" when creating or editing entities. The payload is then executed in the browser of any user who views the affected page, including administrators. Version 2026.02.22 fixes the vulnerability.
Title Mercator vulnerable to stored XSS via unescaped Blade directives in display templates
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Dbarzin Mercator
Sourcentis Mercator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T15:20:41.753Z

Reserved: 2026-02-20T22:02:30.029Z

Link: CVE-2026-27639

cve-icon Vulnrichment

Updated: 2026-02-25T15:20:33.672Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T04:16:04.280

Modified: 2026-02-27T18:45:51.407

Link: CVE-2026-27639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses