CVE-2025-10909 CVE-2025-10909

CVE-2025-10909

Introduction

What if simply uploading an SVG file could compromise a user’s browser? In this post, I’ll walk you through a stored XSS vulnerability I discovered in NovoSGA that leverages a file upload bypass to inject and execute JavaScript.

Below you’ll find the technical details, a step-by-step PoC, payloads, impact, and official references.


What is CVE-2025-10909?

The CVE-2025-10909 is a Stored Cross-Site Scripting (XSS) vulnerability triggered through SVG file upload bypass. Unlike traditional input-based XSS, this flaw allows an attacker to upload a malicious SVG containing embedded JavaScript. When rendered by the browser, this script executes automatically, compromising any user who accesses the file.

This type of issue is especially dangerous because it persists on the server and doesn’t require user interaction beyond simply visiting the file’s URL.


Technical Details

» Vulnerable Endpoint: /admin

» Affected Parameters: logoNavbar, logoLogin

» Trigger Pages: /uploads/logo-navbar.svg?_=[ID], /uploads/logo-login.svg?_=[ID]

» Payload Used:

xss.svg
<svg xmlns=""http://www.w3.org/2000/svg"" fill=""none"">
<script>
alert(""This is an XSS-POC from CVEHUNTERS"");
</script>
</svg>

Proof of Concept (PoC)

To reproduce the vulnerability:

» Save the payload as: xss.svg;

» Go to: /admin;

» Click on the: “Escolher arquivo” button to upload the files;

» Then, click on: “Salvar”:

» Go to the trigger pages:

The files will automatically load, triggering the malicious payloads.

  • Parameter logoNavbar:
  • Parameter logoLogin:

You can access the full technical report with all step-by-step evidence here:

CVE-2025-10909 Report


Impact

This Cross-Site Scripting (XSS) vulnerability can be exploited to:

  • Steal session cookies (session hijacking);
  • Install malware on victims’ devices;
  • Steal credentials stored in the browser;
  • Redirect users to malicious websites;
  • Deface the application interface;
  • Damage the institutional reputation.

Official Sources

This vulnerability was reported responsibly and is publicly registered as:


Credits

Discovered with💜 by Karina Gante.

LinkedInGitHubGmailInstagram

Official Member of CVE-Hunters🏹


← Back to blog