CVE-2025-10909

LOW

Mangati NovoSGA <= 2.2.9 - Cross-Site Scripting via SVG File Handler

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-10909. PoCs published by KarinaGante.

AI-analyzed exploit summary The repository contains a detailed technical writeup for CVE-2025-10909, which describes a stored XSS vulnerability in NovoSGA via SVG file upload bypass. It includes vulnerability details, PoC payload, and impact analysis.

Description

A security flaw has been discovered in Mangati NovoSGA up to 2.2.9. The impacted element is an unknown function of the file /admin of the component SVG File Handler. Performing manipulation of the argument logoNavbar/logoLogin results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited.

Exploits (1)

github WRITEUP

by KarinaGante · htmlpoc

https://github.com/KarinaGante/KG-Sec/tree/main/CVEs/NovoSGA/CVE-2025-10909.md

View Code ZIP pw:eip

The repository contains a detailed technical writeup for CVE-2025-10909, which describes a stored XSS vulnerability in NovoSGA via SVG file upload bypass. It includes vulnerability details, PoC payload, and impact analysis.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: NovoSGA

Auth required

Prerequisites: Access to the /admin endpoint · Ability to upload SVG files

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (5)

Core 5

Core References

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.325696

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.325696

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.651379

Various Sources related

https://karinagante.github.io/cve-2025-10909/

Various Sources exploit

https://karinagante.github.io/cve-2025-10909/#proof-of-concept-poc

Scores

CVSS v3 2.4

EPSS 0.0001

EPSS Percentile 2.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79 CWE-94

Status published

Products (11)

Mangati/NovoSGA 2.2.0

Mangati/NovoSGA 2.2.1

Mangati/NovoSGA 2.2.2

Mangati/NovoSGA 2.2.3

Mangati/NovoSGA 2.2.4

Mangati/NovoSGA 2.2.5

Mangati/NovoSGA 2.2.6

Mangati/NovoSGA 2.2.7

Mangati/NovoSGA 2.2.8

Mangati/NovoSGA 2.2.9

... and 1 more

Published Sep 24, 2025

Tracked Since Feb 18, 2026