CVE-2025-14692

MEDIUM

Pypi Mayan-edms < 4.10.2 - Open Redirect

Title source: rule

Description

A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."

References (6)

[Permissions Required, VDB Entry] https://vuldb.com/?id.336410

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.336410

[Permissions Required, VDB Entry] https://vuldb.com/?submit.711729

[Various Sources] https://github.com/ionutluca888/Mayan-EDMS-OpenRedirect-POC/tree/main

View Exploit ZIP pw:eip

[Release Notes] https://docs.mayan-edms.com/chapters/releases/4.10.2.html

[Release Notes] https://docs.mayan-edms.com/chapters/releases/4.10.2.html#security

Scores

CVSS v3 4.3

EPSS 0.0018

EPSS Percentile 38.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Products (2)

mayan-edms/mayan_edms < 4.10.2

pypi/mayan-edms 4.10.0 - 4.10.2PyPI

Published Dec 15, 2025

Tracked Since Feb 18, 2026