CVE-2026-27818
Published: 26 February 2026
Summary
CVE-2026-27818 is a high-severity Improper Input Validation (CWE-20) vulnerability in Terria Terriajs-Server. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-27818 is a validation bug in TerriaJS-Server, a Node.js Express server used with TerriaJS, a library for building web-based geospatial data explorers. The flaw affects versions prior to 4.0.3 and stems from improper input validation (CWE-20) that enables server-side request forgery (CWE-918). Specifically, it allows attackers to proxy domains not explicitly permitted in the `proxyableDomains` configuration. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with no confidentiality or availability effects.
A remote, unauthenticated attacker can exploit this vulnerability by crafting requests to the TerriaJS-Server that bypass the intended proxy restrictions. With network access and low complexity required—no privileges or user interaction needed—the attacker can force the server to make requests to arbitrary domains. This enables server-side request forgery, potentially allowing the proxying of unauthorized external resources, which could lead to integrity violations such as injecting malicious content or bypassing security controls like CORS policies.
The GitHub security advisory (GHSA-w789-49fc-v8hr) and the fixing commit (3aaa5d9717162b245ae4569232bbe7d8673c913f) confirm that upgrading to version 4.0.3 resolves the issue by enforcing proper validation of proxyable domains. Security practitioners should review and update their `proxyableDomains` configuration alongside applying the patch to prevent exploitation.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8783
Vulnerability details
TerriaJS-Server is a NodeJS Express server for TerriaJS, a library for building web-based geospatial data explorers. A validation bug in versions prior to 4.0.3 allows an attacker to proxy domains not explicitly allowed in the `proxyableDomains` configuration. Version 4.0.3 fixes…
more
the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing TerriaJS-Server directly enables remote exploitation of an internet-facing application without authentication.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the improper input validation bug (CWE-20) by requiring validation of proxy domain inputs against the proxyableDomains configuration to prevent SSRF.
Requires timely flaw remediation through patching to version 4.0.3, which fixes the validation bug enabling unauthorized domain proxying.
Enforces boundary protection by monitoring and controlling outbound communications from the proxy server to only authorized domains, blocking SSRF attempts.