CVE-2026-0521
Reflected XSS in TYDAC AG MAP+ PDF Export Enables Script Execution
Publication date: 2026-02-06
Last updated on: 2026-02-18
Assigner: Switzerland Government Common Vulnerability Program
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tydac | map+ | 3.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-0521 is a reflected cross-site scripting (XSS) vulnerability found in the PDF export functionality of the MAP+ WebGIS application developed by TYDAC AG.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application improperly reflects the "site" parameter in error messages generated during PDF export failures without proper sanitization.'}, {'type': 'paragraph', 'content': 'An unauthenticated attacker can craft a malicious URL containing JavaScript code that executes in the victimβs browser context if the victim visits the URL while having a valid session cookie.'}, {'type': 'paragraph', 'content': 'This happens because the "site" parameter value is included unescaped in the serverβs error response, allowing the injected script to run in the victimβs browser.'}, {'type': 'paragraph', 'content': 'The attack vector requires the victim to open the malicious URL, which can be delivered via phishing or other social engineering methods.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript in the victimβs browser context.
Potential impacts include stealing session cookies and hijacking user sessions.
Depending on the privileges of the compromised user, attackers may also modify stored geodata within the application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability can be detected by testing the PDF export functionality of the MAP+ application for reflected cross-site scripting (XSS) in the "site" parameter. Specifically, sending crafted GET requests with script tags in the "site" parameter and observing if the server response includes the unescaped script in error messages indicates the presence of the vulnerability.'}, {'type': 'paragraph', 'content': 'For example, you can use curl or similar HTTP clients to send a request like:'}, {'type': 'list_item', 'content': 'curl -v "http://<target>/pdfexport?site=<script>alert(document.cookie);</script>"'}, {'type': 'paragraph', 'content': 'If the response contains the script tag unescaped in the error message, it confirms the vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring web server logs for suspicious URLs containing script tags in the "site" parameter or unusual error messages related to PDF export failures can help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the vendor-provided patches that address this vulnerability. The vendor has backported patches to all versions greater than 3.0, so updating to the latest patched version is critical.
Implementing a strong Content-Security-Policy (CSP) is recommended to reduce the risk of script execution from untrusted sources.
Additionally, review and properly configure Cross-Origin Resource Sharing (CORS) settings to prevent trust relationships with other web applications on the same domain, which could be exploited.
Finally, educate users to be cautious about clicking on suspicious links, as the attack requires victims to visit malicious URLs.