CVE-2018-16407
Description
Mayan EDMS before 3.0.3 suffers from a stored XSS vulnerability in the Tags app where unescaped tag label values execute JavaScript in user browsers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mayan EDMS before 3.0.3 suffers from a stored XSS vulnerability in the Tags app where unescaped tag label values execute JavaScript in user browsers.
Vulnerability
The vulnerability is a stored cross-site scripting (XSS) issue in the Tags app of Mayan EDMS versions prior to 3.0.3. When a tag's label value is not properly sanitized, the unsanitized value is injected into the DOM via JavaScript templates (mayan_app.js lines 62 and 71) during tag selection in document upload workflows. [1][4]
Exploitation
An attacker must have the ability to create or modify tags (typically any authenticated user can do so). The attacker creates a tag with a malicious label, such as test. When a victim user goes to upload a document, selects a document type, and then clicks into the tag input field, the application dynamically generates a `` element containing the unescaped label. This results in the injected script executing in the victim's browser context. [4]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, unauthorized actions performed on behalf of the victim, data exfiltration, or defacement of the application interface. The impact is scoped to the browser and the victim's privileges within Mayan EDMS. [1][4]
Mitigation
The issue is fixed in Mayan EDMS version 3.0.3 and later. Users should upgrade to the latest version. No official workaround is documented in the references. [1][2]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mayan-edmsPyPI | < 3.0.3 | 3.0.3 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-5h6m-9mvx-m6c5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16407ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/mayan-edms/PYSEC-2018-15.yamlghsaWEB
- gitlab.com/mayan-edms/mayan-edms/blob/master/HISTORY.rstghsax_refsource_MISCWEB
- gitlab.com/mayan-edms/mayan-edms/commit/076468a9225e4630a463c0bbceb8e5b805fe380cghsax_refsource_MISCWEB
- gitlab.com/mayan-edms/mayan-edms/issues/496ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.