https://hadrien.cat/tags/mercator/Recent content in Mercator on hadzahHugoenSat, 21 Feb 2026 00:00:00 +0000https://hadrien.cat/posts/mercator-account-takeover/Sat, 21 Feb 2026 00:00:00 +0000https://hadrien.cat/posts/mercator-account-takeover/Description A low-privileged user (with the User role) can achieve a full administrator account takeover on Mercator by injecting a malicious script into the contact_point field when creating an entity. When an admin visits the entity listing page, the payload executes in their browser context, silently changing the admin password without any re-authentication. Product Mercator Version <= 2026.03.01 Type CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVSS 4.