CVE-2026-49345

MEDIUM

Mercator CVE Configuration Vulnerable to Server-Side Request Forgery (SSRF)

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-49345. PoCs published by hadhub.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2026-49345, demonstrating an SSRF vulnerability in Mercator that can be leveraged for RCE via Redis. The PoC includes tools for port scanning and executing Redis commands through the SSRF flaw.

Description

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (`/admin/config/parameters`). The `testProvider()` method in `ConfigurationController` passes user-supplied input directly to `curl_init()` without validating the scheme, hostname, or destination IP address. An authenticated user with the `configure` permission can force the Mercator server to issue arbitrary outbound network requests. The suffix `/api/dbInfo` appended to the URL can be bypassed by injecting a `#` fragment character (e.g. `http://TARGET/PATH#`), allowing full control over the target URL. No scheme whitelist, host whitelist, or private/loopback IP block is applied. The `telnet://` scheme can be used for internal port scanning; the `gopher://` scheme enables interaction with unauthenticated internal services (Redis, Memcached), potentially leading to Remote Code Execution under specific deployment conditions. Version 2025.05.19 patches the issue.

Exploits (1)

nomisec WORKING POC
by hadhub · poc
https://github.com/hadhub/CVE-2026-49345-Mercator-SSRF

This repository contains functional exploit code for CVE-2026-49345, demonstrating an SSRF vulnerability in Mercator that can be leveraged for RCE via Redis. The PoC includes tools for port scanning and executing Redis commands through the SSRF flaw.

Classification
Working Poc 100%
Attack Type
Ssrf
Complexity
Moderate
Reliability
Reliable
Target: Mercator
Auth required
Prerequisites: Mercator instance with SSRF vulnerability · Redis instance accessible via SSRF · Valid Mercator credentials with 'configure' permission
devstral-2 · analyzed Jul 02, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v4 5.3
EPSS 0.0054
EPSS Percentile 41.4%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-918
Status published
Products (1)
sourcentis/mercator < 2025.05.19
Published Jun 19, 2026
Tracked Since Jun 20, 2026