CVE-2026-3877
Reflected XSS in VertiGIS FM Dashboard Search Enables Script Execution
Publication date: 2026-04-01
Last updated on: 2026-04-02
Assigner: Switzerland Government Common Vulnerability Program
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vertigis | fm | to 10.13.403 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3877 is a reflected cross-site scripting (XSS) vulnerability found in the dashboard search functionality of the VertiGIS FM solution.
This vulnerability allows attackers to create a malicious URL that, when visited by an authenticated user, executes arbitrary JavaScript code within the context of that user's session.
The issue arises because parts of the URL are reflected into an HTML script tag without proper output encoding, enabling JavaScript injection.
Attackers can deliver this malicious URL through various means, such as sending a link or tricking victims into visiting a crafted page.
How can this vulnerability impact me? :
The vulnerability can lead to the execution of arbitrary JavaScript code in the context of an authenticated user.
This enables attackers to perform unauthorized actions on behalf of the victim, including viewing or modifying data if the victim has sufficient privileges.
Such actions could compromise the confidentiality, integrity, and availability of the victim's data and potentially the entire application environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The reflected XSS vulnerability in VertiGIS FM can be detected by testing the dashboard search functionality endpoint for improper output encoding of URL parameters.
Specifically, you can attempt to access the endpoint /demo/1/fm/DashboardSearch.aspx with crafted URLs containing JavaScript payloads to see if the script executes in the context of an authenticated user.
For example, a proof-of-concept URL triggers an alert popup when visited by an authenticated user, indicating the presence of the vulnerability.
Commands to detect this might include using curl or wget to fetch the URL and inspect the response for reflected script tags, or using browser developer tools to test script execution.
- curl -i "https://your-vertigisfm-server/demo/1/fm/DashboardSearch.aspx?search=<script>alert(1)</script>"
- Use a browser with developer tools to visit a crafted URL while authenticated and observe if an alert popup or script execution occurs.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade VertiGIS FM to version 10.13.403 or later, where the reflected XSS vulnerability has been patched.
Additionally, it is recommended to implement defense-in-depth measures such as limiting process permissions, restricting file system and network access, and applying firewall rules to reduce exposure.
Avoid clicking on or opening suspicious URLs that could contain malicious scripts, especially when authenticated to the VertiGIS FM application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how the reflected cross-site scripting (XSS) vulnerability in VertiGIS FM impacts compliance with common standards and regulations such as GDPR or HIPAA.