Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-yhh7-wbkc-r7ec
Vulnerability ID VCID-yhh7-wbkc-r7ec
Aliases CVE-2014-3840
GHSA-wpvx-26f7-65q3
PYSEC-2014-110
Summary Multiple cross-site scripting (XSS) vulnerabilities in apps/common/templates/calculate_form_title.html in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script or HTML via a (1) tag or the (2) title of a source in a Staging folder, (3) Name field in a bootstrap setup, or Title field in a (4) smart link or (5) web form.
Status Published
Exploitability 2.0
Weighted Severity 6.2
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv4 5.1 http://research.openflare.org/advisories/OF-2014-09/mayan-edbs-storedxss.txt
generic_textual MODERATE http://research.openflare.org/advisories/OF-2014-09/mayan-edbs-storedxss.txt
cvssv4 5.1 http://research.openflare.org/poc/maya-edms/maya-edms_multiple_xss.avi
generic_textual MODERATE http://research.openflare.org/poc/maya-edms/maya-edms_multiple_xss.avi
epss 0.01071 https://api.first.org/data/v1/epss?cve=CVE-2014-3840
epss 0.01071 https://api.first.org/data/v1/epss?cve=CVE-2014-3840
epss 0.01071 https://api.first.org/data/v1/epss?cve=CVE-2014-3840
cvssv4 5.1 http://seclists.org/oss-sec/2014/q2/349
generic_textual MODERATE http://seclists.org/oss-sec/2014/q2/349
cvssv4 5.1 http://seclists.org/oss-sec/2014/q2/352
generic_textual MODERATE http://seclists.org/oss-sec/2014/q2/352
cvssv4 5.1 https://github.com/mayan-edms/Mayan-EDMS
generic_textual MODERATE https://github.com/mayan-edms/Mayan-EDMS
cvssv4 5.1 https://github.com/mayan-edms/mayan-edms/commit/398c480c10416d76e7c1dcb607e726e8fc988e72
generic_textual MODERATE https://github.com/mayan-edms/mayan-edms/commit/398c480c10416d76e7c1dcb607e726e8fc988e72
cvssv4 5.1 https://github.com/mayan-edms/mayan-edms/issues/3
generic_textual MODERATE https://github.com/mayan-edms/mayan-edms/issues/3
cvssv4 5.1 https://github.com/pypa/advisory-database/tree/main/vulns/mayan-edms/PYSEC-2014-110.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/mayan-edms/PYSEC-2014-110.yaml
cvssv4 5.1 https://nvd.nist.gov/vuln/detail/CVE-2014-3840
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2014-3840
cvssv4 5.1 http://www.exploit-db.com/exploits/33493
generic_textual MODERATE http://www.exploit-db.com/exploits/33493
Reference id Reference type URL
http://research.openflare.org/advisories/OF-2014-09/mayan-edbs-storedxss.txt
http://research.openflare.org/poc/maya-edms/maya-edms_multiple_xss.avi
https://api.first.org/data/v1/epss?cve=CVE-2014-3840
http://seclists.org/oss-sec/2014/q2/349
http://seclists.org/oss-sec/2014/q2/352
https://github.com/mayan-edms/Mayan-EDMS
https://github.com/mayan-edms/mayan-edms/commit/398c480c10416d76e7c1dcb607e726e8fc988e72
https://github.com/mayan-edms/mayan-edms/issues/3
https://github.com/pypa/advisory-database/tree/main/vulns/mayan-edms/PYSEC-2014-110.yaml
https://nvd.nist.gov/vuln/detail/CVE-2014-3840
http://www.exploit-db.com/exploits/33493
http://www.securityfocus.com/bid/67552
CVE-2014-3840;OSVDB-107292;OSVDB-107291;OSVDB-107290;OSVDB-107289 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/33493.txt
GHSA-wpvx-26f7-65q3 https://github.com/advisories/GHSA-wpvx-26f7-65q3
Data source Exploit-DB
Date added May 29, 2014
Description Mayan-EDms Web-Based Document Management OS System - Multiple Persistent Cross-Site Scripting Vulnerabilities
Ransomware campaign use Known
Source publication date May 24, 2014
Exploit type webapps
Platform multiple
Source update date May 29, 2014
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at http://research.openflare.org/advisories/OF-2014-09/mayan-edbs-storedxss.txt
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at http://research.openflare.org/poc/maya-edms/maya-edms_multiple_xss.avi
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at http://seclists.org/oss-sec/2014/q2/349
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at http://seclists.org/oss-sec/2014/q2/352
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/mayan-edms/Mayan-EDMS
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/mayan-edms/mayan-edms/commit/398c480c10416d76e7c1dcb607e726e8fc988e72
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/mayan-edms/mayan-edms/issues/3
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/mayan-edms/PYSEC-2014-110.yaml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2014-3840
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at http://www.exploit-db.com/exploits/33493
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.78078
EPSS Score 0.01071
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:03:37.749831+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/mayan-edms/PYSEC-2014-110.yaml 38.6.0