CVE-2026-0521 PUBLISHED

Reflected Cross-Site Scripting in PDF Export Error Message

Assigner: NCSC.ch
Reserved: 17.12.2025 Published: 06.02.2026 Updated: 06.02.2026

A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim's context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker.

This issue was verified in MAP+: 3.4.0.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
CVSS Score: 5.6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	Active

CVSS 4.0

Product Status

Vendor	TYDAC AG
Product	MAP+
Versions	Default: unknown unaffected from 0 to 3.0.0 (excl.)

Credits

Benjamin Faller, Redguard AG finder
David Wischnjak, Redguard AG finder

References

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') CWE

Impacts

CAPEC-63 Cross-Site Scripting (XSS)