CVE Catalog

CVE-2026-49344

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

Mercator is a web application that, prior to version 2025.05.19, had a vulnerability in the query engine allowing authenticated users, including those with limited access roles, to execute queries on models beyond their intended scope. Additionally, the `password` column, although marked as `$hidden`, could be used in `LIKE` conditions in filters.

Risk Assessment

This vulnerability may lead to unauthorized access to sensitive user data, posing a risk to privacy and data security within the organization.

Recommendation

It is recommended to upgrade to version 2025.05.19 to patch this vulnerability and to implement additional security measures in the controller to restrict access to sensitive data.

Original NVD description (English source)

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. The controller method `QueryController::execute()` does not enforce an authorization gate, unlike `store()` and `massDestroy()` in the same controller which are correctly protected. As a result, any authenticated account — including the read-only Auditor role — can query models beyond its intended scope, including the `User` model. Additionally, the `password` column, although declared `$hidden`, is not excluded from filter predicates, which allows it to be used in `LIKE` conditions. The `schema()` and `schemaModel()` endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS