Unrated severityNVD Advisory· Published Feb 25, 2026· Updated Feb 25, 2026

Mercator vulnerable to stored XSS via unescaped Blade directives in display templates

CVE-2026-27639

Description

Mercator is an open source web application designed to enable mapping of information systems. A stored Cross-Site Scripting (XSS) vulnerability exists in Mercator prior to version 2026.02.22 due to the use of unescaped Blade directives ({!! !!}) in display templates. An authenticated user with the User role can inject arbitrary JavaScript payloads into fields such as "contact point" when creating or editing entities. The payload is then executed in the browser of any user who views the affected page, including administrators. Version 2026.02.22 fixes the vulnerability.

Affected products

Dbarzin/Mercatorllm-fuzzy2 versions
<2026.02.22+ 1 more
- (no CPE)range: <2026.02.22
- (no CPE)range: < 2026.02.22

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/dbarzin/mercator/commit/839d231399944e43a865198262e96e0218252cc3mitrex_refsource_MISC
github.com/dbarzin/mercator/commit/9902ffd91f287e474729f514c77261f4ef7db8femitrex_refsource_MISC
github.com/dbarzin/mercator/commit/c58bb1d2fff18605c61d93cfaf77adca416c560amitrex_refsource_MISC
github.com/dbarzin/mercator/security/advisories/GHSA-65p7-pph2-966gmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000