Description
A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is sufficient to fix this issue. You should upgrade the affected component. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."
References (6)
Core 6
Core References
Permissions Required, VDB Entry vdb-entry
https://vuldb.com/?id.336409
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.336409
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.711713
Release Notes patch
https://docs.mayan-edms.com/chapters/releases/4.10.2.html
Release Notes patch
https://docs.mayan-edms.com/chapters/releases/4.10.2.html#security
Scores
CVSS v3
4.3
EPSS
0.0011
EPSS Percentile
29.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
CWE-94
Status
published
Products (2)
mayan-edms/mayan_edms
< 4.10.2
pypi/mayan-edms
4.10.0 - 4.10.2PyPI
Published
Dec 14, 2025
Tracked Since
Feb 18, 2026