CVE-2025-35060

MEDIUM

Newforma Project Center < 2024.1 - Authenticated Stored Cross-Site Scripting via SVG File Upload

Title source: llm
STIX 2.1

Description

Newforma Info Exchange (NIX) provides a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files that contain JavaScript or other content that may be executed or rendered by a web browser using a mobile user agent.

Scores

CVSS v3 5.5
EPSS 0.0020
EPSS Percentile 9.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
newforma/project_center < 2024.1
Published Oct 09, 2025
Tracked Since Feb 18, 2026