CVE-2026-27639

Name of the Vulnerable Software and Affected Versions Mercator versions prior to 2026.02.22

Description Mercator is a web application for mapping information systems. A stored Cross-Site Scripting (XSS) issue exists because of the use of unescaped Blade directives ({!! !!}) in display templates. An authenticated user with the User role can inject JavaScript payloads into fields like "contact point" when creating or editing entities. This injected code executes in the browsers of users viewing the affected page, potentially including administrators. The vulnerable component uses unescaped Blade directives, which allow for the execution of arbitrary code within the application's context.

Recommendations Update to version 2026.02.22 or later.