CVE-2026-0521
MEDIUMTYDAC MAP+ 3.4.0 - Unauthenticated Reflected Cross-Site Scripting via PDF Export Functionality
Title source: llmDescription
A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker. This issue was verified in MAP+: 3.4.0.
References (2)
Core 2
Core References
Various Sources product
https://www.tydac.ch/en/mapplus/
Various Sources third-party-advisory
technical-description
https://www.redguard.ch/blog/2026/02/05/advisory-tydac-mapplus/
Scores
CVSS v3
6.1
EPSS
0.0026
EPSS Percentile
17.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
tydac/map\+
3.4.0
Published
Feb 06, 2026
Tracked Since
Feb 18, 2026