Cyber Resilience

CVE-2026-27818

High

Published: 26 February 2026

Published
26 February 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 15.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27818 is a high-severity Improper Input Validation (CWE-20) vulnerability in Terria Terriajs-Server. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27818 is a validation bug in TerriaJS-Server, a Node.js Express server used with TerriaJS, a library for building web-based geospatial data explorers. The flaw affects versions prior to 4.0.3 and stems from improper input validation (CWE-20) that enables server-side request forgery (CWE-918). Specifically, it allows attackers to proxy domains not explicitly permitted in the `proxyableDomains` configuration. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with no confidentiality or availability effects.

A remote, unauthenticated attacker can exploit this vulnerability by crafting requests to the TerriaJS-Server that bypass the intended proxy restrictions. With network access and low complexity required—no privileges or user interaction needed—the attacker can force the server to make requests to arbitrary domains. This enables server-side request forgery, potentially allowing the proxying of unauthorized external resources, which could lead to integrity violations such as injecting malicious content or bypassing security controls like CORS policies.

The GitHub security advisory (GHSA-w789-49fc-v8hr) and the fixing commit (3aaa5d9717162b245ae4569232bbe7d8673c913f) confirm that upgrading to version 4.0.3 resolves the issue by enforcing proper validation of proxyable domains. Security practitioners should review and update their `proxyableDomains` configuration alongside applying the patch to prevent exploitation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

TerriaJS-Server is a NodeJS Express server for TerriaJS, a library for building web-based geospatial data explorers. A validation bug in versions prior to 4.0.3 allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configuration. Version 4.0.3 fixes…

more

the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in public-facing TerriaJS-Server directly enables remote exploitation of an internet-facing application without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2023-50733Shared CWE-20, CWE-918
CVE-2026-26121Shared CWE-20, CWE-918
CVE-2024-13195Shared CWE-918
CVE-2026-5052Shared CWE-918
CVE-2025-58045Shared CWE-918
CVE-2025-48913Shared CWE-20
CVE-2025-67484Shared CWE-20
CVE-2025-69299Shared CWE-918
CVE-2026-42398Shared CWE-918
CVE-2026-7025Shared CWE-918

Affected Assets

terria
terriajs-server
≤ 4.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the improper input validation bug (CWE-20) by requiring validation of proxy domain inputs against the proxyableDomains configuration to prevent SSRF.

prevent

Requires timely flaw remediation through patching to version 4.0.3, which fixes the validation bug enabling unauthorized domain proxying.

prevent

Enforces boundary protection by monitoring and controlling outbound communications from the proxy server to only authorized domains, blocking SSRF attempts.

References