CVE-2026-3877
Awaiting Analysis Awaiting Analysis - Queue
Reflected XSS in VertiGIS FM Dashboard Search Enables Script Execution

Publication date: 2026-04-01

Last updated on: 2026-04-02

Assigner: Switzerland Government Common Vulnerability Program

Description
A reflected cross-site scripting (XSS) vulnerability in the dashboard search functionality of the VertiGIS FM solution allows attackers to craft a malicious URL, that if visited by an authenticated victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3877
EUVD
EUVD-2026-17883
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vertigis fm to 10.13.403 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not explicitly address how the reflected cross-site scripting (XSS) vulnerability in VertiGIS FM impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-3877 is a reflected cross-site scripting (XSS) vulnerability found in the dashboard search functionality of the VertiGIS FM solution.

This vulnerability allows attackers to create a malicious URL that, when visited by an authenticated user, executes arbitrary JavaScript code within the context of that user's session.

The issue arises because parts of the URL are reflected into an HTML script tag without proper output encoding, enabling JavaScript injection.

Attackers can deliver this malicious URL through various means, such as sending a link or tricking victims into visiting a crafted page.

Impact Analysis

The vulnerability can lead to the execution of arbitrary JavaScript code in the context of an authenticated user.

This enables attackers to perform unauthorized actions on behalf of the victim, including viewing or modifying data if the victim has sufficient privileges.

Such actions could compromise the confidentiality, integrity, and availability of the victim's data and potentially the entire application environment.

Detection Guidance

The reflected XSS vulnerability in VertiGIS FM can be detected by testing the dashboard search functionality endpoint for improper output encoding of URL parameters.

Specifically, you can attempt to access the endpoint /demo/1/fm/DashboardSearch.aspx with crafted URLs containing JavaScript payloads to see if the script executes in the context of an authenticated user.

For example, a proof-of-concept URL triggers an alert popup when visited by an authenticated user, indicating the presence of the vulnerability.

Commands to detect this might include using curl or wget to fetch the URL and inspect the response for reflected script tags, or using browser developer tools to test script execution.

  • curl -i "https://your-vertigisfm-server/demo/1/fm/DashboardSearch.aspx?search=<script>alert(1)</script>"
  • Use a browser with developer tools to visit a crafted URL while authenticated and observe if an alert popup or script execution occurs.
Mitigation Strategies

The primary mitigation step is to upgrade VertiGIS FM to version 10.13.403 or later, where the reflected XSS vulnerability has been patched.

Additionally, it is recommended to implement defense-in-depth measures such as limiting process permissions, restricting file system and network access, and applying firewall rules to reduce exposure.

Avoid clicking on or opening suspicious URLs that could contain malicious scripts, especially when authenticated to the VertiGIS FM application.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3877. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart