Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-49344— Mercator has a Personal Identifiable Information Leak from Query Executor feature

AI Predicted 7.5 Difficulty: Easy EPSS 0.28% · P20

Affected Version Matrix 1

VendorProductVersion RangeStatus
sourcentismercator< 2025.05.19affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-49344

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Mercator has a Personal Identifiable Information Leak from Query Executor feature
Source: NVD (National Vulnerability Database)
Vulnerability Description
Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, Mercator's Query Engine (`/admin/queries/execute`) accepts a JSON DSL (`from` / `select` / `filters` / `traverse` / `output`), translates it into an Eloquent query, and returns results as JSON. The controller method `QueryController::execute()` does not enforce an authorization gate, unlike `store()` and `massDestroy()` in the same controller which are correctly protected. As a result, any authenticated account — including the read-only Auditor role — can query models beyond its intended scope, including the `User` model. Additionally, the `password` column, although declared `$hidden`, is not excluded from filter predicates, which allows it to be used in `LIKE` conditions. The `schema()` and `schemaModel()` endpoints of the same controller are similarly unguarded. The Query Engine is read-only; integrity and availability are not affected. Version 2025.05.19 patches the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
侵犯隐私
Source: NVD (National Vulnerability Database)
Vulnerability Title
Sourcentis Mercator 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
sourcentis mercator是sourcentis公司开源的一款IT资产管理工具。 Sourcentis Mercator 2025.05.19之前版本存在信息泄露漏洞,该漏洞源于查询引擎未强制授权门控,且密码列未被排除在筛选谓词之外,可能导致任何经过身份验证的账户查询超出预期范围的模型(包括User模型)以及使用密码列进行LIKE条件查询。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
sourcentismercator < 2025.05.19 -

II. Public POCs for CVE-2026-49344

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-49344

登录查看更多情报信息。

Vendor Advisories for CVE-2026-49344 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-49344

No comments yet


Leave a comment