CVE-2026-0521 is a reflected cross-site scripting (XSS) vulnerability classified under CWE-79, affecting the PDF export functionality of TYDAC AG's MAP+ solution, specifically verified in version 3.4.0. The vulnerability arises from improper neutralization of user-supplied input during the generation of web pages, allowing attackers to inject malicious JavaScript code. Because the vulnerability is reflected, the malicious payload is embedded in a crafted URL that, when visited by a victim, causes the victim's browser to execute the injected script within the security context of the MAP+ web application. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The attack vector requires no authentication (AV:N), has low attack complexity (AC:L), and does not require privileges (PR:N), but does require user interaction (UI:A) such as clicking the malicious link. The vulnerability impacts confidentiality, integrity, and availability at a high level (VC:L, VI:H, VA:H) but does not affect system confidentiality (SC:N), integrity (SI:N), or availability (SA:N) at the system level. No patches or known exploits are currently reported. The vulnerability was reserved in December 2025 and published in February 2026, with the National Cyber Security Centre of Switzerland (NCSC.ch) as the assigner. The CVSS 4.0 base score is 5.6, indicating medium severity. The issue is particularly relevant for organizations relying on MAP+ for geospatial data visualization and export, as exploitation could compromise user sessions and data integrity through client-side attacks.

For European organizations, this vulnerability poses a moderate risk primarily through client-side exploitation. If attackers successfully trick users into clicking malicious URLs, they can execute arbitrary JavaScript in the context of the MAP+ application, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions within the application. This is especially critical for sectors that use MAP+ for sensitive geospatial or mapping data, such as utilities, transportation, defense, and critical infrastructure. The reflected XSS could be leveraged as an initial access vector or to escalate privileges within the affected environment. Although the vulnerability does not directly compromise server-side systems, the impact on confidentiality and integrity at the user level can lead to broader organizational risks, including data leakage and operational disruption. The requirement for user interaction limits automated exploitation but does not eliminate risk, particularly in environments where social engineering or phishing attacks are common. The absence of known exploits suggests a window for proactive mitigation before widespread abuse.

To mitigate CVE-2026-0521, organizations should implement the following specific measures: 1) Apply input validation and output encoding specifically on the parameters used in the PDF export functionality to ensure all user-supplied data is properly sanitized against script injection. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the MAP+ web application context. 3) Educate users about the risks of clicking unsolicited or suspicious links, especially those purporting to be related to MAP+ exports or reports. 4) Monitor web server logs and application telemetry for unusual URL patterns or repeated attempts to exploit the PDF export feature. 5) Engage with TYDAC AG for updates or patches addressing this vulnerability and prioritize their deployment once available. 6) Consider implementing web application firewalls (WAFs) with custom rules to detect and block reflected XSS payloads targeting MAP+. 7) Conduct regular security assessments and penetration testing focused on client-side vulnerabilities in MAP+ deployments. These targeted actions go beyond generic advice by focusing on the vulnerable PDF export feature and user interaction vectors.