QwikSec

Security Database

CVE

CWE

Training

CVE-2026-27639

Published: Feb 25, 2026

Modified: Feb 25, 2026

PUBLISHED

Description

Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives (`{!! !!}`) in display templates. An authenticated user with the User role can inject arbitrary JavaScript payloads into fields such as "contact point" when creating or editing entities. The payload is then executed in the browser of any user who views the affected page, including administrators. Version 2026.02.22 fixes the vulnerability.

Vendor	Product	Versions
dbarzin	mercator	affected `< 2026.02.22`

Weaknesses (CWE)

References

https://github.com/dbarzin/mercator/security/advisories/GHSA-65p7-pph2-966g

x_refsource_CONFIRM

https://github.com/dbarzin/mercator/commit/839d231399944e43a865198262e96e0218252cc3

x_refsource_MISC

https://github.com/dbarzin/mercator/commit/9902ffd91f287e474729f514c77261f4ef7db8fe

x_refsource_MISC

https://github.com/dbarzin/mercator/commit/c58bb1d2fff18605c61d93cfaf77adca416c560a

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.