Description
A reflected cross-site scripting (XSS) vulnerability in the dashboard search functionality of the VertiGIS FM solution allows attackers to craft a malicious URL, that if visited by an authenticated victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.
Published: 2026-04-01
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Malicious script execution in authenticated user context
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in the dashboard search feature of VertiGIS FM. A maliciously crafted URL can contain arbitrary JavaScript that is executed in the browser when an authenticated user opens the link. This enables attackers to run scripts in the victim’s browser session, potentially stealing session cookies, injecting malicious content, or performing unauthorized actions within the application.

Affected Systems

The issue affects the VertiGIS FM solution as distributed by VertiGIS. No specific version information is provided by the CNA; the vulnerability applies to any installation that includes the affected dashboard search functionality. The CPE strings identify the product as vertigis:fm and vertigis:vertigis_fm.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity. The EPSS score is below 1 %, suggesting that widespread exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the flaw can be triggered by a simple link click, requiring only that the victim is authenticated and visits the crafted URL. This combination of low effort and high impact makes the risk moderate to high, especially within organizations where users routinely access internal dashboards.

Generated by OpenCVE AI on April 2, 2026 at 23:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest VertiGIS FM patch or update that resolves the dashboard search XSS flaw.
  • Verify that input to the dashboard search is properly sanitized and that user input is encoded before rendering.
  • Monitor traffic for suspicious URLs or phishing attempts that could exploit the flaw.

Generated by OpenCVE AI on April 2, 2026 at 23:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Vertigis fm
CPEs cpe:2.3:a:vertigis:fm:*:*:*:*:*:*:*:*
Vendors & Products Vertigis fm
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripting (XSS) vulnerability in the dashboard search functionality of the VertiGIS FM solution allows attackers to craft a malicious URL, that if visited by an authenticated victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.
Title Reflected Cross-Site Scripting in Dashboard Search
First Time appeared Vertigis
Vertigis vertigis Fm
Weaknesses CWE-79
CPEs cpe:2.3:a:vertigis:vertigis_fm:*:*:*:*:*:*:*:*
Vendors & Products Vertigis
Vertigis vertigis Fm
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Vertigis Fm Vertigis Fm
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-04-01T13:33:40.924Z

Reserved: 2026-03-10T12:01:10.709Z

Link: CVE-2026-3877

cve-icon Vulnrichment

Updated: 2026-04-01T13:33:23.711Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T14:16:58.130

Modified: 2026-04-02T19:36:47.993

Link: CVE-2026-3877

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:07Z

Weaknesses