CVE-2025-14691 is a Cross Site Scripting (XSS) vulnerability identified in Mayan EDMS, an open-source electronic document management system widely used for organizing and managing digital documents. The vulnerability affects versions 4.10.0 and 4.10.1 and resides in an unspecified function within the /authentication/ directory of the application. This flaw allows an attacker to inject malicious scripts that execute in the context of the victim's browser when they interact with crafted input, such as a specially crafted URL or form submission. The vulnerability is remotely exploitable without requiring any authentication, though it does require user interaction (e.g., clicking a malicious link). The impact primarily concerns the integrity of user sessions and potential execution of unauthorized scripts, which could lead to session hijacking, phishing, or defacement attacks. However, the vulnerability does not directly compromise confidentiality or availability. The vendor has addressed the issue in Mayan EDMS version 4.10.2 and is actively backporting fixes for older supported versions. No public exploits have been observed in the wild yet, but the exploit code is publicly available, increasing the risk of opportunistic attacks. The CVSS v4.0 base score is 5.3, reflecting a medium severity level due to the ease of exploitation and limited impact scope.

For European organizations, the primary impact of CVE-2025-14691 lies in the potential compromise of user sessions and the integrity of document management workflows. Since Mayan EDMS is used to manage sensitive corporate and governmental documents, successful exploitation could enable attackers to execute malicious scripts that steal session cookies, perform unauthorized actions on behalf of users, or deliver phishing payloads. This could lead to unauthorized access to documents, manipulation of document metadata, or social engineering attacks targeting employees. While confidentiality and availability impacts are limited, the integrity and trustworthiness of document management systems are critical for compliance with European data protection regulations such as GDPR. Organizations relying on Mayan EDMS for regulated data processing or legal document management may face reputational damage and regulatory scrutiny if exploited. The lack of authentication requirement for exploitation increases the risk of widespread attacks, especially in environments where users are not trained to recognize phishing attempts or suspicious links.

European organizations should immediately upgrade all instances of Mayan EDMS to version 4.10.2 or later to remediate this vulnerability. For environments where immediate upgrade is not feasible, applying vendor-provided backported patches for older versions as soon as they become available is essential. Additionally, organizations should implement strict input validation and output encoding on all user-supplied data within the /authentication/ module to prevent script injection. Deploying Web Application Firewalls (WAFs) with rules targeting XSS attack patterns can provide temporary protection. User awareness training should emphasize caution with unsolicited links and emails to reduce the risk of successful social engineering. Monitoring web server logs for suspicious requests targeting the /authentication/ path can help detect attempted exploitation. Finally, organizations should review session management policies to ensure secure cookie attributes (HttpOnly, Secure, SameSite) are enforced to mitigate session hijacking risks.