CVE-2025-14692
MEDIUMMayan EDMS < 4.10.2 - Open Redirect via Authentication Endpoint
Title source: llmDescription
A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."
References (6)
Core 6
Core References
Permissions Required, VDB Entry vdb-entry
https://vuldb.com/?id.336410
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.336410
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.711729
Various Sources exploit
https://github.com/ionutluca888/Mayan-EDMS-OpenRedirect-POC/tree/main
Release Notes patch
https://docs.mayan-edms.com/chapters/releases/4.10.2.html
Release Notes patch
https://docs.mayan-edms.com/chapters/releases/4.10.2.html#security
Scores
CVSS v3
4.3
EPSS
0.0040
EPSS Percentile
31.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-601
Status
published
Products (6)
mayan-edms/mayan_edms
< 4.10.2
pypi/mayan-edms
0 - 4.6.12PyPI
pypi/mayan-edms
4.10.0 - 4.10.2PyPI
pypi/mayan-edms
4.7.0 - 4.7.8PyPI
pypi/mayan-edms
4.8.0 - 4.8.10PyPI
pypi/mayan-edms
4.9.0 - 4.9.7PyPI
Published
Dec 15, 2025
Tracked Since
Feb 18, 2026