CVE-2025-14691 is a cross-site scripting vulnerability identified in the Mayan EDMS document management system, specifically affecting versions 4.10.0 and 4.10.1. The vulnerability arises from improper input sanitization or output encoding in an unknown function within the /authentication/ directory, which allows an attacker to inject malicious JavaScript code remotely. This XSS flaw can be exploited without any authentication, making it accessible to unauthenticated remote attackers. However, exploitation requires user interaction, such as a victim clicking on a maliciously crafted URL or interacting with manipulated content. The impact of this vulnerability includes potential session hijacking, theft of authentication tokens, or execution of arbitrary scripts in the context of the victim’s browser, which can lead to phishing or unauthorized actions within the EDMS interface. The vendor has addressed the vulnerability in version 4.10.2 and is working on backporting fixes to older supported versions. Although no active exploits have been observed in the wild, the availability of public exploit code increases the risk of opportunistic attacks. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction needed, and limited impact on confidentiality and integrity, with no impact on availability or scope changes. This vulnerability highlights the importance of secure input validation and output encoding in web applications, especially those handling sensitive document management workflows.

For European organizations, the impact of CVE-2025-14691 can be significant in environments where Mayan EDMS is used to manage sensitive or regulated documents. Successful exploitation could lead to session hijacking, allowing attackers to impersonate legitimate users and access confidential documents or perform unauthorized actions. This undermines confidentiality and integrity of document workflows, potentially exposing sensitive business or personal data. Although availability is not directly affected, the reputational damage and compliance risks (e.g., GDPR violations) from data leakage or unauthorized access could be substantial. Public sector entities, legal firms, and financial institutions in Europe relying on Mayan EDMS for document management are particularly at risk. The medium severity rating suggests that while the vulnerability is not critical, it poses a meaningful threat that could be leveraged in targeted phishing campaigns or lateral movement within networks. The lack of authentication requirement lowers the barrier for attackers, increasing the likelihood of exploitation if patches are not applied promptly.

European organizations should immediately upgrade all Mayan EDMS instances to version 4.10.2 or later to remediate CVE-2025-14691. For environments where immediate upgrading is not feasible, apply any available vendor backported patches as soon as they are released. Implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Conduct thorough input validation and output encoding reviews for any custom plugins or integrations with Mayan EDMS to prevent similar vulnerabilities. Educate users about the risks of clicking on suspicious links and implement email filtering to reduce phishing attempts leveraging this vulnerability. Monitor web server and application logs for unusual requests targeting the /authentication/ path or signs of XSS exploitation attempts. Employ web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting Mayan EDMS. Finally, integrate vulnerability management processes to ensure timely patching of document management systems and related infrastructure.