CVE-2026-49345

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (/admin/config/parameters). The testProvider() method in ConfigurationController passes user-supplied input directly to curl init() without validating the scheme, hostname, or destination IP address. An authenticated user with the configure permission can force the Mercator server to issue arbitrary outbound network requests. The suffix /api/dbInfo appended to the URL can be bypassed by injecting a # fragment character (e.g. http://TARGET/PATH#), allowing full control over the target URL. No scheme whitelist, host whitelist, or private/loopback IP block is applied. The telnet:// scheme can be used for internal port scanning; the gopher:// scheme enables interaction with unauthenticated internal services (Redis, Memcached), potentially leading to Remote Code Execution under specific deployment conditions. Version 2025.05.19 patches the issue.