CVE-2026-49344
Mercator has a Personal Identifiable Information Leak from Query Executor feature
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. The controller method `QueryController::execute()` does not enforce an authorization gate, unlike `store()` and `massDestroy()` in the same controller which are correctly protected. As a result, any authenticated account โ including the read-only Auditor role โ can query models beyond its intended scope, including the `User` model. Additionally, the `password` column, although declared `$hidden`, is not excluded from filter predicates, which allows it to be used in `LIKE` conditions. The `schema()` and `schemaModel()` endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.
| CWE | CWE-359 |
| Vendor | sourcentis |
| Product | mercator |
| Published | Jun 19, 2026 |
| Last Updated | Jun 19, 2026 |
Get instant alerts for sourcentis mercator
Be the first to know when new unknown vulnerabilities affecting sourcentis mercator are published โ delivered to Slack, Telegram or Discord.