Home > Vulnerability Database > CVE-2025-10909

Mend.io Vulnerability Database

CVE-2025-10909

Date: September 24, 2025

A security flaw has been discovered in Mangati NovoSGA up to 2.2.9. The impacted element is an unknown function of the file /admin of the component SVG File Handler. Performing manipulation of the argument logoNavbar/logoLogin results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.

Severity Score

2.4

Related Resources (10)

Url: https://github.com/novosga/novosga

Url: https://hackmd.io/@noka/B1qwCyR9ll

Url: https://vuldb.com/?id.325696

Url: https://karinagante.github.io/cve-2025-10909/#proof-of-concept-poc

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-10909

Url: https://vuldb.com/?submit.651379

Url: https://vuldb.com/?ctiid.325696

Url: https://hackmd.io/@noka/B1qwCyR9ll#%E2%9E%A4-Payload

Url: https://karinagante.github.io/cve-2025-10909/

Url: https://www.mend.io/vulnerability-database/CVE-2025-10909

Severity Score

2.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Control of Generation of Code ('Code Injection')

CWE-94

CVSS v3.1

Base Score:	2.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-10909

Date: September 24, 2025

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?