CVE-2026-27639

MEDIUM

Mercator < 2026.02.22 - Authenticated Stored Cross-Site Scripting via Unescaped Blade Directives

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-27639. PoCs published by XiaomingX, hadhub.

AI-analyzed exploit summary This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction logic for WordPress admin credentials and hashes.

Description

Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives (`{!! !!}`) in display templates. An authenticated user with the User role can inject arbitrary JavaScript payloads into fields such as "contact point" when creating or editing entities. The payload is then executed in the browser of any user who views the affected page, including administrators. Version 2026.02.22 fixes the vulnerability.

Exploits (2)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27639

This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction logic for WordPress admin credentials and hashes.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Quiz Maker <= 6.7.0.56
No auth needed
Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WRITEUP
by hadhub · poc
https://github.com/hadhub/CVE-2026-27639-Mercator-XSS

This repository provides references to external sources detailing CVE-2026-27639, an XSS vulnerability in Mercator. It includes links to the CVE record, a technical blog post, and a GitHub security advisory, but no actual exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Theoretical
Target: Mercator (version not specified)
No auth needed
Prerequisites: Access to a vulnerable Mercator instance
devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 5.4
EPSS 0.0028
EPSS Percentile 19.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (1)
sourcentis/mercator < 2026.02.22
Published Feb 25, 2026
Tracked Since Feb 25, 2026