{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0521", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "state": "PUBLISHED", "assignerShortName": "NCSC.ch", "dateReserved": "2025-12-17T08:22:37.425Z", "datePublished": "2026-02-06T06:17:02.239Z", "dateUpdated": "2026-02-06T15:22:50.179Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "MAP+", "vendor": "TYDAC AG", "versions": [{"lessThan": "3.0.0", "status": "unaffected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Benjamin Faller, Redguard AG"}, {"lang": "en", "type": "finder", "value": "David Wischnjak, Redguard AG"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div>A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.</div></div><p>This issue was verified in MAP+: 3.4.0.</p>"}], "value": "A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.\n\n\n\nThis issue was verified in MAP+: 3.4.0."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.6, "baseSeverity": "MEDIUM", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2026-02-06T06:17:02.239Z"}, "references": [{"tags": ["product"], "url": "https://www.tydac.ch/en/mapplus/"}, {"tags": ["third-party-advisory", "technical-description"], "url": "https://www.redguard.ch/blog/2026/02/05/advisory-tydac-mapplus/"}], "source": {"discovery": "UNKNOWN"}, "title": "Reflected Cross-Site Scripting in PDF Export Error Message", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T15:20:38.525756Z", "id": "CVE-2026-0521", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T15:22:50.179Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0521", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T15:20:38.525756Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T15:22:36.225Z"}}], "cna": {"title": "Reflected Cross-Site Scripting in PDF Export Error Message", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Benjamin Faller, Redguard AG"}, {"lang": "en", "type": "finder", "value": "David Wischnjak, Redguard AG"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "TYDAC AG", "product": "MAP+", "versions": [{"status": "unaffected", "version": "0", "lessThan": "3.0.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "references": [{"url": "https://www.tydac.ch/en/mapplus/", "tags": ["product"]}, {"url": "https://www.redguard.ch/blog/2026/02/05/advisory-tydac-mapplus/", "tags": ["third-party-advisory", "technical-description"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.\n\n\n\nThis issue was verified in MAP+: 3.4.0.", "supportingMedia": [{"type": "text/html", "value": "<div><div>A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.</div></div><p>This issue was verified in MAP+: 3.4.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2026-02-06T06:17:02.239Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0521", "state": "PUBLISHED", "dateUpdated": "2026-02-06T15:22:50.179Z", "dateReserved": "2025-12-17T08:22:37.425Z", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "datePublished": "2026-02-06T06:17:02.239Z", "assignerShortName": "NCSC.ch"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tydac:map\\+:3.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "42625819-146F-45CD-B927-71B9C6951E75", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.\n\n\n\nThis issue was verified in MAP+: 3.4.0."}, {"lang": "es", "value": "Una vulnerabilidad de cross-site scripting (XSS) reflejada en la funcionalidad de exportaci\u00f3n de PDF de la soluci\u00f3n TYDAC AG MAP+ permite a atacantes no autenticados crear una URL maliciosa, que si es visitada por una v\u00edctima, ejecutar\u00e1 JavaScript arbitrario en el contexto de la v\u00edctima. Dicha URL podr\u00eda ser entregada a trav\u00e9s de varios medios, por ejemplo, enviando un enlace o enga\u00f1ando a las v\u00edctimas para que visiten una p\u00e1gina creada por el atacante.\n\nEste problema fue verificado en MAP+: 3.4.0."}], "id": "CVE-2026-0521", "lastModified": "2026-02-18T17:43:20.867", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}, "published": "2026-02-06T07:16:11.353", "references": [{"source": "vulnerability@ncsc.ch", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.redguard.ch/blog/2026/02/05/advisory-tydac-mapplus/"}, {"source": "vulnerability@ncsc.ch", "tags": ["Product"], "url": "https://www.tydac.ch/en/mapplus/"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T13:38:51.641685+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s patch for MAP+ that removes the unencoded error response in the PDF export functionality.", "If a patch is not yet available, configure the application firewall or web server to block requests to the PDF export endpoint that contain script fragments or otherwise block all PDF export functionality in trusted environments.", "Introduce web application safeguards such as a content\u2011security\u2011policy header and server\u2011side escaping of all output rendered in error messages, ensuring that future similar oversights do not result in reflected XSS."], "summary": {"action": "Patch promptly", "impact": "Cross\u2011site scripting that executes arbitrarily code in a victim\u2019s browser when a crafted PDF export link is visited"}, "threat_synthesis": {"affected_systems": "TYDAC AG MAP+ versions 3.4.0 is confirmed vulnerable. No other versions were explicitly listed in the advisory, so only this release should be considered affected for now.", "description_and_impact": "The flaw is a reflected cross\u2011site scripting vulnerability in the PDF export endpoint of TYDAC AG MAP+. The endpoint\u2019s error response reflects user\u2011supplied input without proper encoding, allowing an attacker to embed malicious JavaScript in a URL that, when visited by a user, runs in the victim\u2019s browser context. This can lead to session hijacking, defacement, or execution of further malicious actions within the victim\u2019s session. The weakness is a classic reflected XSS, classified as CWE\u201179.", "risk_and_exploitability": "The CVSS base score of 5.6 reflects moderate impact, primarily because exploitation requires the victim to click a malicious link. The EPSS score of less than 1% indicates a low likelihood of widespread exploitation at this time. The issue is not listed in the CISA KEV catalog. Exploitation is possible without authentication; an attacker simply distributes a crafted link via phishing, social engineering, or embedding in a victim\u2011targeted page. The impact is limited to the victim\u2019s browser session and any data accessed within that session."}}}}, "created": "2026-02-09T10:52:40.895190+00:00", "updated": "2026-04-18T13:45:45.674111+00:00", "vendors": ["tydac_ag", "tydac_ag$PRODUCT$map+"]}