CVE-2025-14691
MEDIUMMayan EDMS < 4.10.2 - Cross-Site Scripting in Authentication Endpoint
Title source: llmDescription
A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is sufficient to fix this issue. You should upgrade the affected component. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."
References (6)
Core 6
Core References
Permissions Required, VDB Entry vdb-entry
https://vuldb.com/?id.336409
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.336409
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.711713
Release Notes patch
https://docs.mayan-edms.com/chapters/releases/4.10.2.html
Release Notes patch
https://docs.mayan-edms.com/chapters/releases/4.10.2.html#security
Scores
CVSS v3
4.3
EPSS
0.0039
EPSS Percentile
31.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
CWE-94
Status
published
Products (6)
mayan-edms/mayan_edms
< 4.10.2
pypi/mayan-edms
0 - 4.6.12PyPI
pypi/mayan-edms
4.10.0 - 4.10.2PyPI
pypi/mayan-edms
4.7.0 - 4.7.8PyPI
pypi/mayan-edms
4.8.0 - 4.8.10PyPI
pypi/mayan-edms
4.9.0 - 4.9.7PyPI
Published
Dec 14, 2025
Tracked Since
Feb 18, 2026