Description
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (`/admin/config/parameters`). The `testProvider()` method in `ConfigurationController` passes user-supplied input directly to `curl_init()` without validating the scheme, hostname, or destination IP address. An authenticated user with the `configure` permission can force the Mercator server to issue arbitrary outbound network requests. The suffix `/api/dbInfo` appended to the URL can be bypassed by injecting a `#` fragment character (e.g. `http://TARGET/PATH#`), allowing full control over the target URL. No scheme whitelist, host whitelist, or private/loopback IP block is applied. The `telnet://` scheme can be used for internal port scanning; the `gopher://` scheme enables interaction with unauthenticated internal services (Redis, Memcached), potentially leading to Remote Code Execution under specific deployment conditions. Version 2025.05.19 patches the issue.
Published: 2026-06-19
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mercator’s configuration panel, accessed via /admin/config/parameters, contains a Server‑Side Request Forgery vulnerability that allows an authenticated user with the configure permission to supply arbitrary URLs to curl_init(). Because the input string is passed verbatim, users can bypass the intended /api/dbInfo suffix by appending a # fragment, giving them full control over the target address. The lack of scheme, hostname, or private IP filtering means that schemes such as telnet:// can be used for internal port scanning, and gopher:// can access unauthenticated internal services such as Redis or Memcached, which under certain deployment conditions can lead to remote code execution.

Affected Systems

Sourcentis Mercator versions older than 2025.05.19 are vulnerable. All deployed instances prior to the 2025.05.19 release, regardless of environment, are affected.

Risk and Exploitability

The CVSS score of 5.3 categorizes the vulnerability as moderate severity. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog. Exploitation requires a logged‑in user with the configure role, so the attack vector is limited to authenticated users; however, once authenticated, the attacker can request arbitrary external resources, perform internal network reconnaissance, and potentially execute code on internal services via gopher://. The lack of external access restrictions and the ability to target internal infrastructure increase the risk to confidentiality, integrity, and availability of the internal network.

Generated by OpenCVE AI on June 19, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 2025.05.19 or later to address the SSRF vulnerability.
  • Restrict the configure permission to a minimal set of trusted administrators and, if possible, disable the testProvider() function until a patch is applied.
  • Configure outbound network filtering to block Mercator’s ability to reach internal IP ranges or critical services, thereby limiting the impact of an SSRF exploitation.

Generated by OpenCVE AI on June 19, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcentis
Sourcentis mercator
Vendors & Products Sourcentis
Sourcentis mercator

Fri, 19 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (`/admin/config/parameters`). The `testProvider()` method in `ConfigurationController` passes user-supplied input directly to `curl_init()` without validating the scheme, hostname, or destination IP address. An authenticated user with the `configure` permission can force the Mercator server to issue arbitrary outbound network requests. The suffix `/api/dbInfo` appended to the URL can be bypassed by injecting a `#` fragment character (e.g. `http://TARGET/PATH#`), allowing full control over the target URL. No scheme whitelist, host whitelist, or private/loopback IP block is applied. The `telnet://` scheme can be used for internal port scanning; the `gopher://` scheme enables interaction with unauthenticated internal services (Redis, Memcached), potentially leading to Remote Code Execution under specific deployment conditions. Version 2025.05.19 patches the issue.
Title Mercator CVE Configuration Vulnerable to Server-Side Request Forgery (SSRF)
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Sourcentis Mercator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T19:23:22.858Z

Reserved: 2026-05-29T14:35:45.903Z

Link: CVE-2026-49345

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T22:15:03Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)