CVE-2026-49345: CWE-918: Server-Side Request Forgery (SSRF) in sourcentis mercator
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (`/admin/config/parameters`). The `testProvider()` method in `ConfigurationController` passes user-supplied input directly to `curl_init()` without validating the scheme, hostname, or destination IP address. An authenticated user with the `configure` permission can force the Mercator server to issue arbitrary outbound network requests. The suffix `/api/dbInfo` appended to the URL can be bypassed by injecting a `#` fragment character (e.g. `http://TARGET/PATH#`), allowing full control over the target URL. No scheme whitelist, host whitelist, or private/loopback IP block is applied. The `telnet://` scheme can be used for internal port scanning; the `gopher://` scheme enables interaction with unauthenticated internal services (Redis, Memcached), potentially leading to Remote Code Execution under specific deployment conditions. Version 2025.05.19 patches the issue.
AI Analysis
Technical Summary
CVE-2026-49345 is an SSRF vulnerability in Mercator's ConfigurationController testProvider() method, where user input is passed directly to curl_init() without validating scheme, hostname, or IP address. This allows authenticated users with configure permission to force the server to issue arbitrary network requests. The vulnerability includes bypass of URL suffix restrictions via fragment injection and lacks any whitelist or IP blocking. Use of telnet:// and gopher:// schemes can enable internal port scanning and interaction with unauthenticated internal services such as Redis or Memcached, possibly leading to remote code execution in specific deployments. The vulnerability is fixed in Mercator version 2025.05.19.
Potential Impact
An authenticated user with configure permissions can exploit this SSRF vulnerability to make arbitrary outbound requests from the Mercator server. This can lead to internal network reconnaissance, interaction with unauthenticated internal services, and potentially remote code execution under certain deployment conditions. The lack of input validation and absence of whitelisting or IP blocking increases the risk of abuse.
Mitigation Recommendations
Upgrade Mercator to version 2025.05.19 or later, which patches this SSRF vulnerability. No other official remediation or temporary fixes are documented. Until patched, restrict configure permissions to trusted users only.
CVE-2026-49345: CWE-918: Server-Side Request Forgery (SSRF) in sourcentis mercator
Description
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (`/admin/config/parameters`). The `testProvider()` method in `ConfigurationController` passes user-supplied input directly to `curl_init()` without validating the scheme, hostname, or destination IP address. An authenticated user with the `configure` permission can force the Mercator server to issue arbitrary outbound network requests. The suffix `/api/dbInfo` appended to the URL can be bypassed by injecting a `#` fragment character (e.g. `http://TARGET/PATH#`), allowing full control over the target URL. No scheme whitelist, host whitelist, or private/loopback IP block is applied. The `telnet://` scheme can be used for internal port scanning; the `gopher://` scheme enables interaction with unauthenticated internal services (Redis, Memcached), potentially leading to Remote Code Execution under specific deployment conditions. Version 2025.05.19 patches the issue.
CVSS v4.0
Score 5.3medium
Affected software
pkg:github/sourcentis/mercatorRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-49345 is an SSRF vulnerability in Mercator's ConfigurationController testProvider() method, where user input is passed directly to curl_init() without validating scheme, hostname, or IP address. This allows authenticated users with configure permission to force the server to issue arbitrary network requests. The vulnerability includes bypass of URL suffix restrictions via fragment injection and lacks any whitelist or IP blocking. Use of telnet:// and gopher:// schemes can enable internal port scanning and interaction with unauthenticated internal services such as Redis or Memcached, possibly leading to remote code execution in specific deployments. The vulnerability is fixed in Mercator version 2025.05.19.
Potential Impact
An authenticated user with configure permissions can exploit this SSRF vulnerability to make arbitrary outbound requests from the Mercator server. This can lead to internal network reconnaissance, interaction with unauthenticated internal services, and potentially remote code execution under certain deployment conditions. The lack of input validation and absence of whitelisting or IP blocking increases the risk of abuse.
Mitigation Recommendations
Upgrade Mercator to version 2025.05.19 or later, which patches this SSRF vulnerability. No other official remediation or temporary fixes are documented. Until patched, restrict configure permissions to trusted users only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-29T14:35:45.903Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a359d6df198dc38c12203ad
Added to database: 6/19/2026, 7:50:05 PM
Last enriched: 6/19/2026, 8:05:36 PM
Last updated: 6/19/2026, 9:11:59 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.