CVE-2026-27639
Stored XSS in Mercator Web App Allows Admin Browser Exploitation
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcentis | mercator | to 2026.02.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27639 is a stored Cross-Site Scripting (XSS) vulnerability in the Mercator web application prior to version 2026.02.22. It occurs because unescaped Laravel Blade directives ({!! !!}) are used in display templates, which render raw HTML without escaping. This improper use affects plain-text fields such as the "contact point" field. An authenticated user with the User role can inject arbitrary JavaScript payloads into these fields when creating or editing entities.'}, {'type': 'paragraph', 'content': "The injected script is then executed in the browser of any user who views the affected page, including administrators. This allows attackers to steal sensitive tokens like the administrator's CSRF token (XSRF-TOKEN), enabling unauthorized state-changing requests on behalf of the administrator."}, {'type': 'paragraph', 'content': 'The vulnerability arises from the lack of server-side sanitization of user inputs and the use of unescaped output in templates. The fix involves sanitizing inputs using a BaseFormRequest class with HTML purification and replacing unescaped Blade directives with escaped ones for fields not requiring HTML rendering.'}] [3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have serious security impacts if exploited. An attacker with a low privilege authenticated User role can inject malicious JavaScript into certain fields.'}, {'type': 'paragraph', 'content': "When an administrator or any user with higher privileges views the affected page, the malicious script executes in their browser. This can lead to theft of the administrator's CSRF token, which can be used to perform unauthorized actions on the application, such as changing data or settings without permission."}, {'type': 'paragraph', 'content': 'Although session cookies are protected by the HttpOnly flag, the stolen CSRF token allows attackers to bypass protections against cross-site request forgery, compromising confidentiality and integrity of the application data and user actions.'}] [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability is a stored Cross-Site Scripting (XSS) issue in Mercator prior to version 2026.02.22, exploitable by an authenticated user with User role injecting JavaScript payloads into fields such as "contact point". Detection involves identifying if such payloads exist in the application data and if unescaped Blade directives ({!! !!}) are used in display templates rendering user input.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves stored XSS in specific fields, detection can be done by querying the database or application data for suspicious JavaScript payloads in fields like "contact point", "description", or other textual fields.'}, {'type': 'paragraph', 'content': 'No explicit commands are provided in the resources, but general detection steps could include:'}, {'type': 'list_item', 'content': "Query the database for suspicious script tags or JavaScript event handlers in fields such as 'contact_point' or 'description'. For example, using SQL: SELECT * FROM entities WHERE contact_point LIKE '%<script>%';"}, {'type': 'list_item', 'content': 'Use web application scanning tools or proxy tools (e.g., Burp Suite) to test input fields by injecting benign XSS payloads and observing if they are executed when viewing the affected pages.'}, {'type': 'list_item', 'content': 'Check the Mercator application version to confirm if it is prior to 2026.02.22, which is vulnerable.'}, {'type': 'paragraph', 'content': 'Because the vulnerability requires an authenticated user with User role to inject payloads and an administrator to view the page to trigger the XSS, monitoring logs for unusual input or unexpected JavaScript execution in admin sessions may also help detect exploitation.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Mercator to version 2026.02.22 or later, which includes fixes for this vulnerability.
The fix involves:
- Replacing unescaped Blade directives ({!! !!}) with escaped directives ({{ }}) in templates for fields that do not require HTML rendering.
- Implementing input sanitization via a new BaseFormRequest class that uses the mews/purifier package to clean HTML input safely and strip tags from plain-text fields.
- Refactoring request validation classes to extend from BaseFormRequest and explicitly mark fields that may contain HTML for proper sanitization.
If immediate upgrade is not possible, as a temporary measure, restrict authenticated user input to trusted users only, and audit or sanitize existing data in vulnerable fields to remove malicious scripts.
Additionally, monitor administrator access and consider applying web application firewall (WAF) rules to detect and block suspicious script injections.