CVE-2025-10909: Mangati NovoSGA XSS vulnerability in /admin

September 24, 2025

A security flaw has been discovered in Mangati NovoSGA up to 2.2.9. The impacted element is an unknown function of the file /admin of the component SVG File Handler. Performing manipulation of the argument logoNavbar/logoLogin results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/advisories/GHSA-4c44-r8rm-3p39
github.com/novosga/novosga
hackmd.io/@noka/B1qwCyR9ll
hackmd.io/@noka/B1qwCyR9ll
nvd.nist.gov/vuln/detail/CVE-2025-10909
vuldb.com/?ctiid.325696
vuldb.com/?id.325696
vuldb.com/?submit.651379

Code Behaviors & Features

Detect and mitigate CVE-2025-10909 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →