Mercator is an open-source web application designed for mapping information systems. A stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2026-27639 exists in Mercator versions prior to 2026.02.22. The root cause is the use of unescaped Blade directives (`{!! !!}`) in the display templates, which fail to properly neutralize user-supplied input. An authenticated user with the User role can inject arbitrary JavaScript code into input fields such as 'contact point' when creating or editing entities. This malicious script is stored persistently and executed in the browsers of any users who subsequently view the affected page, including administrators. The vulnerability does not require elevated privileges beyond a standard User role, nor does it require additional user interaction beyond page viewing. The CVSS 4.0 score is 8.5 (high severity), reflecting network attack vector, low attack complexity, no privileges required beyond User role, and partial user interaction (viewing the page). The impact on confidentiality and integrity is high due to potential session hijacking, data theft, or unauthorized actions performed in the context of the victim’s session. Availability impact is not significant. No known exploits are reported in the wild as of publication. The vulnerability is fixed in Mercator version 2026.02.22 by properly escaping user input in templates to prevent script injection.

The vulnerability allows attackers with authenticated User role access to inject persistent malicious JavaScript into Mercator’s web interface. This can lead to session hijacking, theft of sensitive information, unauthorized administrative actions, or distribution of malware to other users, including administrators. Organizations relying on Mercator for mapping critical information systems risk compromise of sensitive data and control mechanisms. The attack can facilitate lateral movement within networks or lead to broader compromise if administrative accounts are targeted. Since the vulnerability requires only authenticated User role access, insider threats or compromised user accounts can be leveraged to exploit this flaw. The widespread impact depends on Mercator’s deployment scale within organizations managing critical infrastructure or sensitive data. The lack of known exploits in the wild reduces immediate risk but does not preclude targeted attacks, especially in high-value environments.

1. Upgrade Mercator installations to version 2026.02.22 or later, which includes the fix for this vulnerability. 2. Implement strict input validation and output encoding in all user-supplied fields, especially those rendered with Blade templates, to prevent injection of executable code. 3. Enforce the principle of least privilege by reviewing and restricting User role permissions to minimize the ability to inject malicious content. 4. Monitor application logs and user activities for unusual input patterns or script injection attempts. 5. Educate users and administrators about the risks of stored XSS and encourage cautious handling of user-generated content. 6. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 7. Conduct regular security assessments and code reviews focusing on template rendering and input handling. 8. Consider implementing multi-factor authentication to reduce the risk of compromised user accounts being exploited to inject malicious payloads.