Web on hadzahhttps://hadrien.cat/tags/web/Recent content in Web on hadzahHugoenThu, 21 May 2026 00:00:00 +0000CVE-2026-49344 Mercator : Leak PII via JSON DSLhttps://hadrien.cat/posts/pii_leak_mercator/Thu, 21 May 2026 00:00:00 +0000https://hadrien.cat/posts/pii_leak_mercator/PII Extraction via JSON DSL query For PoC, check my github : https://github.com/hadhub/CVE-2026-49344-Mercator-JSON-DSL The advisory : https://github.com/sourcentis/mercator/security/advisories/GHSA-q3r8-3h7c-96w3 Description Mercator embeds a “Query Engine”. This feature allows users to enter a JSON DSL that describes a query against the application’s Eloquent models. The DSL accepts the keys from, select, filters, traverse and output. The engine translates the DSL into an Eloquent query and returns the rows in JSON. The QueryController::execute() method initially performs no access control on the target model.CVE-2026-49345 Mercator : SSRF To Conditional RCEhttps://hadrien.cat/posts/ssrf_mercator/Thu, 21 May 2026 00:00:00 +0000https://hadrien.cat/posts/ssrf_mercator/SSRF inside Provider feature For PoC, check my github : https://github.com/hadhub/CVE-2026-49345-Mercator-SSRF The advisory : https://github.com/sourcentis/mercator/security/advisories/GHSA-6q97-4q5r-96j6 Description The “CVE” tab on the Mercator configuration page exposes a “Test Provider” button. This button is intended to check that a CVE provider URL answers correctly on its /api/dbInfo endpoint. The value of the provider field is passed as is to curl_init() and executed by curl_exec(). No validation is applied on the scheme, on the host or on the destination IP address.CVE-2026-27639 Mercator : Account Takeover via Stored XSShttps://hadrien.cat/posts/mercator-account-takeover/Sat, 21 Feb 2026 00:00:00 +0000https://hadrien.cat/posts/mercator-account-takeover/Description A low-privileged user (with the User role) can achieve a full administrator account takeover on Mercator by injecting a malicious script into the contact_point field when creating an entity. When an admin visits the entity listing page, the payload executes in their browser context, silently changing the admin password without any re-authentication. Product Mercator Version <= 2026.03.01 Type CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVSS 4.