CVE-2026-27639

MEDIUM

Mercator <2026.02.22 - Stored XSS

Title source: llm

Description

Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives (`{!! !!}`) in display templates. An authenticated user with the User role can inject arbitrary JavaScript payloads into fields such as "contact point" when creating or editing entities. The payload is then executed in the browser of any user who views the affected page, including administrators. Version 2026.02.22 fixes the vulnerability.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27639

View Code ZIP pw:eip

nomisec WRITEUP

by hadhub · poc

https://github.com/hadhub/CVE-2026-27639-Mercator-XSS

View Code ZIP pw:eip

References (4)

[Patch] https://github.com/dbarzin/mercator/commit/839d231399944e43a865198262e96e0218252cc3

[Patch] https://github.com/dbarzin/mercator/commit/9902ffd91f287e474729f514c77261f4ef7db8fe

[Patch] https://github.com/dbarzin/mercator/commit/c58bb1d2fff18605c61d93cfaf77adca416c560a

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/dbarzin/mercator/security/advisories/GHSA-65p7-pph2-966g

Scores

CVSS v3 5.4

EPSS 0.0004

EPSS Percentile 13.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

sourcentis/mercator < 2026.02.22

Published Feb 25, 2026

Tracked Since Feb 25, 2026