CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 4 days ago•15 views

CVE-2026-49345 Mercator CVE Configuration Vulnerable to Server-Side Request Forgery (SSRF)

5.3CVSS

CVE•added 4 days ago•13 views

CVE-2026-49345

CVE-2026-49345 affects Mercator before 2025.05.19. The SSRF flaw resides in the CVE configuration panel (/admin/config/parameters) where ConfigurationController.testProvider() passes user input directly to curl_init() without validating scheme/host/IP. An authenticated user with configure permiss...

5.3CVSS6.1AI score

Cvelist•added 4 days ago•15 views

CVE-2026-49344 Mercator has a Personal Identifiable Information Leak from Query Executor feature

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine /admin/queries/execute accepts a JSON DSL from / select / filters / traverse / output, translates it into an Eloquent query, and returns results as JSON...

7.1CVSS

CVE•added 4 days ago•11 views

CVE-2026-49344

Mercator (open source mapping app) prior to version 2025.05.19 is affected by CVE-2026-49344. The Query Engine endpoint /admin/queries/execute does not enforce an authorization gate, allowing any authenticated account (including read-only Auditor) to query models outside the intended scope (e.g.,...

7.1CVSS5.8AI score

Positive Technologies•added 4 days ago•9 views

PT-2026-51021

Name of the Vulnerable Software and Affected Versions Mercator versions prior to 2025.05.19 Description A Server-Side Request Forgery SSRF exists in the CVE configuration panel at the '/admin/config/parameters' endpoint. The testProvider method in ConfigurationController passes user-supplied inpu...

5.3CVSS6.3AI score

Exploits0References5

RedhatCVE•added 2026/02/26 4:15 a.m.•6 views

CVE-2026-27639

Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting XSS vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives !! !! in display templates. An authenticated user with the User...

NVD•added 2026/02/25 4:16 a.m.•8 views

CVE-2026-27639

8.5CVSS0.00279EPSS

Cvelist•added 2026/02/25 3:44 a.m.•22 views

CVE-2026-27639 Mercator vulnerable to stored XSS via unescaped Blade directives in display templates

8.5CVSS0.00279EPSS

ATTACKERKB•added 2026/02/25 3:44 a.m.•4 views

CVE-2026-27639

Exploits0References5Affected Software1

Vulnrichment•added 2026/02/25 3:44 a.m.•4 views

CVE-2026-27639 Mercator vulnerable to stored XSS via unescaped Blade directives in display templates

CVE•added 2026/02/25 3:44 a.m.•9 views

CVE-2026-27639

CVE-2026-27639 concerns Mercator, an open‑source web app for mapping information systems. A stored XSS exists in versions prior to 2026.02.22 due to unescaped Blade directives ({!! !!}) in display templates. An authenticated user with the User role can inject JavaScript into fields like “contact ...

Exploits0References4Affected Software1

OSV•added 2026/02/25 3:44 a.m.•5 views

CVE-2026-27639 Mercator vulnerable to stored XSS via unescaped Blade directives in display templates

8.5CVSS5.7AI score0.00279EPSS

Exploits0References6

EUVD•added 2026/02/25 3:44 a.m.•5 views

EUVD-2026-8613

Positive Technologies•added 2026/02/25 12:0 a.m.•5 views

PT-2026-21855

CNNVD•added 2026/02/25 12:0 a.m.•6 views

Exploits0References5

Mercator 跨站脚本漏洞

Mercator is an ecosystem visualization software developed by Didier Barzin. Versions of Mercator before 2026.02.22 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of unescaped Blade directives in the display templates, which could lead to storage-based...