CVE-2025-10909 MEDIUM

CVE-2025-10909: Mangati NovoSGA SVG File admin cross site scripting

Vendor Mangati
Product NovoSGA
Weakness CWE-79 · XSS
Published September 24, 2025
Last update October 20, 2025
View on NVD All CVEs

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security flaw has been discovered in Mangati NovoSGA up to 2.2.9. The impacted element is an unknown function of the file /admin of the component SVG File Handler. Performing manipulation of the argument logoNavbar/logoLogin results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.

Key dates

02Disclosure timeline

September 24, 2025 CVE published
October 20, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-21080 Adobe Connect Reflected Cross-site Scripting via query parameter CVE-2026-6447 Call for Price for WooCommerce <= 4.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Call for Price' Label Settings CVE-2024-56221 WordPress WPMozo Addons Lite for Elementor plugin <= 1.2.0 - Cross Site Scripting (XSS) vulnerability CVE-2024-3138 francoisjacquet RosarioSIS Add Portal Note cross site scripting CVE-2023-32237 Auth. Stored Cross-Site Scripting (XSS) vulnerability in TheGem theme by CodexThemes