🚨 CVE-2026-49344
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. The controller method `QueryController::execute()` does not enforce an authorization gate, unlike `store()` and `massDestroy()` in the same controller which are correctly protected. As a result, any authenticated account — including the read-only Auditor role — can query models beyond its intended scope, including the `User` model. Additionally, the `password` column, although declared `$hidden`, is not excluded from filter predicates, which allows it to be used in `LIKE` conditions. The `schema()` and `schemaModel()` endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.
🎖@cveNotify
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. The controller method `QueryController::execute()` does not enforce an authorization gate, unlike `store()` and `massDestroy()` in the same controller which are correctly protected. As a result, any authenticated account — including the read-only Auditor role — can query models beyond its intended scope, including the `User` model. Additionally, the `password` column, although declared `$hidden`, is not excluded from filter predicates, which allows it to be used in `LIKE` conditions. The `schema()` and `schemaModel()` endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.
🎖@cveNotify
GitHub
Personal Identifiable Information Leak from Query Executor feature
## Details
Mercator's Query Engine (`/admin/queries`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as...
Mercator's Query Engine (`/admin/queries`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as...
🚨 CVE-2026-49345
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (`/admin/config/parameters`). The `testProvider()` method in `ConfigurationController` passes user-supplied input directly to `curl_init()` without validating the scheme, hostname, or destination IP address. An authenticated user with the `configure` permission can force the Mercator server to issue arbitrary outbound network requests. The suffix `/api/dbInfo` appended to the URL can be bypassed by injecting a `#` fragment character (e.g. `http://TARGET/PATH#`), allowing full control over the target URL. No scheme whitelist, host whitelist, or private/loopback IP block is applied. The `telnet://` scheme can be used for internal port scanning; the `gopher://` scheme enables interaction with unauthenticated internal services (Redis, Memcached), potentially leading to Remote Code Execution under specific deployment conditions. Version 2025.05.19 patches the issue.
🎖@cveNotify
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (`/admin/config/parameters`). The `testProvider()` method in `ConfigurationController` passes user-supplied input directly to `curl_init()` without validating the scheme, hostname, or destination IP address. An authenticated user with the `configure` permission can force the Mercator server to issue arbitrary outbound network requests. The suffix `/api/dbInfo` appended to the URL can be bypassed by injecting a `#` fragment character (e.g. `http://TARGET/PATH#`), allowing full control over the target URL. No scheme whitelist, host whitelist, or private/loopback IP block is applied. The `telnet://` scheme can be used for internal port scanning; the `gopher://` scheme enables interaction with unauthenticated internal services (Redis, Memcached), potentially leading to Remote Code Execution under specific deployment conditions. Version 2025.05.19 patches the issue.
🎖@cveNotify
GitHub
Server-Side Request Forgery (SSRF) in Mercator CVE Configuration
## Details
A Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (`/admin/config/parameters`). The `testProvider()` method in `ConfigurationControll...
A Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel (`/admin/config/parameters`). The `testProvider()` method in `ConfigurationControll...
🚨 CVE-2026-6238
The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.0.1 to version 2.43 fail to validate the RDATA content against the RDATA length in a DNS response when processing A6, CERT, LOC, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.
These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.
🎖@cveNotify
The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.0.1 to version 2.43 fail to validate the RDATA content against the RDATA length in a DNS response when processing A6, CERT, LOC, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.
These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.
🎖@cveNotify
🚨 CVE-2026-42824
Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.
🎖@cveNotify
Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.
🎖@cveNotify
🚨 CVE-2026-42915
Incorrect calculation of buffer size in Windows VMSwitch allows an authorized attacker to deny service locally.
🎖@cveNotify
Incorrect calculation of buffer size in Windows VMSwitch allows an authorized attacker to deny service locally.
🎖@cveNotify
🚨 CVE-2026-44803
Integer overflow or wraparound in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally.
🎖@cveNotify
Integer overflow or wraparound in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally.
🎖@cveNotify
🚨 CVE-2026-44812
Integer overflow or wraparound in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally.
🎖@cveNotify
Integer overflow or wraparound in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally.
🎖@cveNotify
🚨 CVE-2026-44817
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
🎖@cveNotify
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
🎖@cveNotify
🚨 CVE-2026-44818
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
🎖@cveNotify
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
🎖@cveNotify
🚨 CVE-2026-44819
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
🎖@cveNotify
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
🎖@cveNotify
🚨 CVE-2026-44820
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
🎖@cveNotify
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
🎖@cveNotify
🚨 CVE-2026-44821
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
🎖@cveNotify
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
🎖@cveNotify
🚨 CVE-2026-44822
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
🎖@cveNotify
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
🎖@cveNotify
🚨 CVE-2026-44823
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
🎖@cveNotify
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
🎖@cveNotify
🚨 CVE-2026-44824
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
🎖@cveNotify
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
🎖@cveNotify
🚨 CVE-2026-45455
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
🎖@cveNotify
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
🎖@cveNotify
🚨 CVE-2026-45456
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
🎖@cveNotify
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
🎖@cveNotify
🚨 CVE-2026-45457
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
🎖@cveNotify
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.
🎖@cveNotify
🚨 CVE-2026-45458
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
🎖@cveNotify
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.
🎖@cveNotify
🚨 CVE-2026-45459
Protection mechanism failure in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally.
🎖@cveNotify
Protection mechanism failure in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally.
🎖@cveNotify
🚨 CVE-2026-45460
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
🎖@cveNotify
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
🎖@cveNotify