Remote Code Execution Vulnerability in Newforma Info Exchange
CVE-2025-35060

5.1MEDIUM

Key Information:

Vendor: Newforma
Status: Project Center
Vendor: CVE Published:; 9 October 2025

What is CVE-2025-35060?

The Newforma Info Exchange application allows authenticated users to use its 'Send a File Transfer' feature. This feature can be exploited by remote, authenticated attackers to upload SVG files containing JavaScript or other malicious content. Such malicious files may be executed or rendered by web browsers, posing a significant risk to user data and system integrity.

Affected Version(s)

Project Center 0 < 2024.1

Project Center 2024.1

References

https://raw.githubusercontent.com/cisagov/CSAF/develop/cs...

https://www.cve.org/CVERecord?id=CVE-2025-35060

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 9, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

Shadron Gudmunson,Luke Rindels,Robert McCain,Asjha Stus,Adam Merrill,Ryan Kao,Brian Healy, Sandia National Laboratories Adversarial Modeling and Penetration Testing (AMPT)

JSON