CVE-2026-27639 - Vulnerability Analysis
N/aLast Updated: February 25, 2026
Mercator - Stored XSS
Published: February 25, 2026Updated: February 25, 2026PoC Available
Overview
Mercator < 2026.02.22 contains a stored cross-site scripting caused by unescaped Blade directives in display templates, letting authenticated users with User role inject JavaScript executed in other users' browsers, exploit requires authenticated User role.
Severity & Score
Severity: N/a
Impact
Authenticated users can execute arbitrary JavaScript in other users' browsers, potentially leading to session hijacking or privilege escalation.
Mitigation
Update to version 2026.02.22 or later.
References
- https://github.com/dbarzin/mercator/security/advisories/GHSA-65p7-pph2-966g
- https://github.com/dbarzin/mercator/commit/839d231399944e43a865198262e96e0218252cc3
- https://github.com/dbarzin/mercator/commit/9902ffd91f287e474729f514c77261f4ef7db8fe
- https://github.com/dbarzin/mercator/commit/c58bb1d2fff18605c61d93cfaf77adca416c560a
Related Resources
Details
- CVE ID
- CVE-2026-27639
- Severity
- N/a
- Type
- stored_xss
- Status
- unconfirmed
CWE
- CWE-79
CVSS Metrics
N/A