Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery (SSRF) vulnerability exists in Mercator's CVE configuration panel ("/admin/config/parameters"). The "testProvider()" method in "ConfigurationController" passes user-supplied input directly to "curl_init()" without validating the scheme, hostname, or destination IP address. An authenticated user with the "configure" permission can force the Mercator server to issue arbitrary outbound network requests. The suffix "/api/dbInfo" appended to the URL can be bypassed by injecting a "#" fragment character (e.g. "http://TARGET/PATH#"), allowing full control over the target URL. No scheme whitelist, host whitelist, or private/loopback IP block is applied. The "telnet://" scheme can be used for internal port scanning; the "gopher://" scheme enables interaction with unauthenticated internal services (Redis, Memcached), potentially leading to Remote Code Execution under specific deployment conditions. Version 2025.05.19 patches the issue.