CVE-2026-0521 – A reflected cross-site scripting vulnerability ... (How to Fix)

Q: What is the severity of CVE-2026-0521?

CVE-2026-0521 has a CVSS score of 6.1 (MEDIUM). A reflected cross-site scripting vulnerability in TYDAC AG MAP+ allows unauthenticated attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers when visited. This affects all users accessing the vulnerable PDF export functionality, potentially compromising their sessions and data.

📋 TL;DR

A reflected cross-site scripting vulnerability in TYDAC AG MAP+ allows unauthenticated attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers when visited. This affects all users accessing the vulnerable PDF export functionality, potentially compromising their sessions and data.

💻 Affected Systems

Products:

TYDAC AG MAP+

Versions: 3.4.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires PDF export functionality to be enabled and accessible.

📦 What is this software?

Map\+ by Tydac

View all CVEs affecting Map\+ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal session cookies, perform actions as authenticated users, redirect to phishing sites, or install malware through drive-by downloads.

🟠

Likely Case

Session hijacking, credential theft, or redirection to malicious sites through crafted phishing links.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though some user interaction risk remains.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires user interaction (clicking malicious link) but is trivial to craft once vulnerability details are known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.tydac.ch/en/mapplus/

Restart Required: No

Instructions:

Check vendor website for security updates. Apply any available patches following vendor instructions.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement proper input validation and output encoding for all user-supplied data in PDF export functionality.

Content Security Policy

all

Implement strict Content Security Policy headers to restrict script execution.

🧯 If You Can't Patch

Disable PDF export functionality if not required
Implement WAF rules to detect and block XSS payloads in URLs

🔍 How to Verify

Check if Vulnerable:

Test PDF export functionality with XSS payloads in URL parameters. Check if scripts execute in response.

Check Version:

Check MAP+ version in application interface or configuration files.

Verify Fix Applied:

Retest with same payloads after remediation. Scripts should be properly encoded and not execute.

📡 Detection & Monitoring

Log Indicators:

Unusual URL parameters containing script tags or JavaScript in PDF export requests
Multiple failed PDF generation attempts with suspicious parameters

Network Indicators:

HTTP requests to PDF export endpoints with encoded script payloads in query strings

SIEM Query:

source="web_logs" AND (url="*pdf*" OR url="*export*") AND (query="*<script>*" OR query="*javascript:*" OR query="*onerror=*" OR query="*onload=*")

📊 Metadata

CVE ID: CVE-2026-0521

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.15% exploit probability (35.4th percentile)

Published: February 6, 2026

Last Updated: February 18, 2026

🔗 References

https://www.redguard.ch/blog/2026/02/05/advisory-tydac-mapplus/ Exploit,Third Party Advisory
https://www.tydac.ch/en/mapplus/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0521, you might also want to check these: