CVE-2025-10909: 
PHP vulnerability analysis and mitigation

A security vulnerability has been identified in Mangati NovoSGA versions up to 2.2.9 (CVE-2025-10909). The vulnerability is a Stored Cross-Site Scripting (XSS) issue that affects the SVG File Handler component in the /admin endpoint. This security flaw was discovered and disclosed on September 24, 2025 (VulDB, NVD).

The vulnerability exists in the SVG File Handler component's handling of the logoNavbar and logoLogin parameters within the /admin endpoint. The application fails to properly validate and sanitize user inputs in these parameters, allowing attackers to inject malicious scripts through SVG file uploads. The vulnerability has been assigned CVSS v4.0 score of 4.8 (Medium) and CVSS v3.1 score of 2.4 (Low). The weakness is classified under CWE-79 (Cross-site Scripting) and CWE-94 (Code Injection) (VulDB, NVD).

The vulnerability can lead to multiple severe impacts including session cookie theft enabling session hijacking, potential malware distribution, browser hijacking, credential theft, sensitive information exposure, website defacement, user misdirection, and potential damage to business reputation. The injected malicious code is executed automatically whenever affected pages are accessed by users (HackMD).

Currently, there are no known official mitigations or workarounds available. The vendor was contacted about this disclosure but did not respond in any way (VulDB).