CVE-2025-14692
CVE-2025-14692 is a medium-severity vulnerability in Mayan-edms Mayan Edms with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-601.
Key facts
- Severity: Medium (CVSS 3.x base score 4.3)
- CVSS v2: 5.0
- CVSS v4: 2.1
- EPSS exploit prediction: 0% (32nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-203313
- Weakness: CWE-601
- Affected product: Mayan-edms Mayan Edms
- Published:
- Last modified:
Description
A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."
Frequently asked questions
- What is CVE-2025-14692?
- A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."
- How severe is CVE-2025-14692?
- CVE-2025-14692 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2025-14692 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (32nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-14692?
- CVE-2025-14692 affects Mayan-edms Mayan Edms. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-14692?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-14692 have an EU (EUVD) identifier?
- Yes. CVE-2025-14692 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-203313.
- When was CVE-2025-14692 published?
- CVE-2025-14692 was published on 2025-12-15 and last updated on 2026-06-17.
References
- https://docs.mayan-edms.com/chapters/releases/4.10.2.html
- https://docs.mayan-edms.com/chapters/releases/4.10.2.html#security
- https://github.com/ionutluca888/Mayan-EDMS-OpenRedirect-POC/tree/main
- https://vuldb.com/?ctiid.336410
- https://vuldb.com/?id.336410
- https://vuldb.com/?submit.711729
Affected products (1)
- cpe:2.3:a:mayan-edms:mayan_edms:*:*:*:*:*:*:*:*
More vulnerabilities in Mayan-edms Mayan Edms
- CVE-2018-16407 — Medium (CVSS 6.1): An issue was discovered in Mayan EDMS before 3.0.3. The Tags app has XSS because tag label values are mishandled.
- CVE-2018-16406 — Medium (CVSS 6.1): An issue was discovered in Mayan EDMS before 3.0.2. The Cabinets app has XSS via a crafted cabinet label.
- CVE-2018-16405 — Medium (CVSS 6.1): An issue was discovered in Mayan EDMS before 3.0.2. The Appearance app sets window.location directly, leading to XSS.
- CVE-2022-47419 — Medium (CVSS 5.4): An XSS vulnerability was discovered in the Mayan EDMS DMS. Successful XSS exploitation was observed in the in-product…
- CVE-2025-14691 — Medium (CVSS 4.3): A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file…
- CVE-2014-3840 — Low (CVSS 3.5): Multiple cross-site scripting (XSS) vulnerabilities in apps/common/templates/calculate_form_title.html in Mayan EDMS…
All CVEs affecting Mayan-edms Mayan Edms →
Other CWE-601 (Open Redirect) vulnerabilities
- CVE-2018-3774 — Critical (CVSS 10.0): Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open…
- CVE-2019-25282 — Critical (CVSS 9.8): V-SOL GPON/EPON OLT Platform v2.03 contains an open redirect vulnerability in the script that allows attackers to…
- CVE-2020-36912 — Critical (CVSS 9.8): Plexus anblick Digital Signage Management 3.1.13 contains an open redirect vulnerability in the 'PantallaLogin' script…
- CVE-2025-43526 — Critical (CVSS 9.8): This issue was addressed with improved URL validation. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. On a Mac…
- CVE-2025-55031 — Critical (CVSS 9.8): Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An…
- CVE-2024-22891 — Critical (CVSS 9.8): Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link.