Dnnsoftware Dnn.Platform vulnerabilities
30 known vulnerabilities affecting dnnsoftware/dnn.platform.
Total CVEs
30
CISA KEV
0
Public exploits
3
Exploited in wild
3
Severity breakdown
CRITICAL2HIGH6MEDIUM21LOW1
Vulnerabilities
Page 1 of 2
CVE-2025-64095P1CRITICALCVSS 9.8ExploitedPoCfixed in 10.1.12025-10-28
CVE-2025-64095 [CRITICAL] CWE-434 CVE-2025-64095: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. An unauthenticated user can upload and replace existing files allowing defacing a website and combined with othe
ghsanvdosv
CVE-2025-52488P1HIGHCVSS 8.6ExploitedPoCv>= 6.0.0, < 10.0.12025-06-21
CVE-2025-52488 [HIGH] CWE-200 CVE-2025-52488: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.
ghsanvdosv
CVE-2017-0929P2HIGHCVSS 7.5ExploitedPoCfixed in 9.13.82018-07-03
CVE-2017-0929 [HIGH] CWE-918 CVE-2017-0929: DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in
DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.
nvd
CVE-2026-40321P3HIGHCVSS 8.0fixed in 10.2.22026-04-17
CVE-2026-40321 [HIGH] CWE-87 CVE-2026-40321: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.
nvd
CVE-2025-59545P3CRITICALCVSS 9.0fixed in 10.1.02025-09-23
CVE-2025-59545 [CRITICAL] CWE-79 CVE-2025-59545: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be executed when processed through certain commands, leading to potential script
nvd
CVE-2025-52487P3HIGHCVSS 7.5v>= 7.0.0, < 10.0.12025-06-21
CVE-2025-52487 [HIGH] CWE-863 CVE-2025-52487: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 7.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request or proxy to be created that could bypass the design of DNN Login IP Filters allowing login attempts from IP Addresses not in the allow list. This issue has bee
ghsanvdosv
CVE-2025-32035P3HIGHCVSS 7.5fixed in 9.13.22025-04-08
CVE-2025-32035 [HIGH] CWE-351 CVE-2025-32035: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 9.13.2, when uploading files (e.g. when uploading assets), the file extension is checked to see if it's an allowed file type but the actual contents of the file aren't checked. This means that it's possible to e.g. upload an executabl
nvd
CVE-2025-32374P3HIGHCVSS 7.5fixed in 9.13.82025-04-09
CVE-2025-32374 [HIGH] CWE-770 CVE-2025-32374: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Possible denial of service with specially crafted information in the public registration form. This vulnerability is fixed in 9.13.8.
nvd
CVE-2025-32373P3MEDIUMCVSS 6.5fixed in 9.13.82025-04-09
CVE-2025-32373 [MEDIUM] CWE-639 CVE-2025-32373: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In limited configurations, registered users may be able to craft a request to enumerate/access some portal files they should not have access to. This vulnerability is fixed in 9.13.8.
nvd
CVE-2025-59535P3MEDIUMCVSS 6.5fixed in 10.1.02025-09-22
CVE-2025-59535 [MEDIUM] CWE-20 CVE-2025-59535: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner
nvd
CVE-2026-40306P3MEDIUMCVSS 6.5v>= 10.0.0, < 10.2.22026-04-17
CVE-2026-40306 [MEDIUM] CWE-330 CVE-2026-40306: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 patches the issue.
nvd
CVE-2025-32036P4MEDIUMCVSS 6.5fixed in 9.13.82025-04-08
CVE-2025-32036 [MEDIUM] CWE-804 CVE-2025-32036: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. The algorithm used to generate the captcha image shows the least complexity of the desired image. For this reason, the created image can be easily read by OCR tools, and the intruder can send automatic requests by building a robot and using
nvd
CVE-2025-59547P4MEDIUMCVSS 5.3fixed in 10.1.02025-09-23
CVE-2025-59547 [MEDIUM] CWE-176 CVE-2025-59547: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the CKEditor file upload endpoint has insufficient sanitization for filenames allowing probing network endpoints. A specially crafted request can be made to upload a file with Unicode characters, which would be trans
nvd
CVE-2025-52486P4MEDIUMCVSS 6.1v>= 6.0.0, < 10.0.12025-06-21
CVE-2025-52486 [MEDIUM] CWE-79 CVE-2025-52486: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows specially crafted content in URLs to be used with TokenReplace and not be properly sanitized by some SkinObjects. This issue has been patched in version 10.0.1.
ghsanvdosv
CVE-2025-59548P4MEDIUMCVSS 6.1fixed in 10.1.02025-09-23
CVE-2025-59548 [MEDIUM] CWE-79 CVE-2025-59548: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, specially crafted URLs to the FileBrowser are vulnerable to javascript injection, affecting any unsuspecting user clicking such link. This issue has been patched in version 10.1.0.
nvd
CVE-2026-24837P4MEDIUMCVSS 5.4v>= 9.0.0, < 9.13.10v>= 10.0.0, < 10.2.02026-01-28
CVE-2026-24837 [MEDIUM] CWE-79 CVE-2026-24837: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
nvd
CVE-2026-24836P4MEDIUMCVSS 5.4v>= 9.0.0, < 9.13.10v>= 10.0.0, < 10.2.02026-01-28
CVE-2026-24836 [MEDIUM] CWE-79 CVE-2026-24836: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issu
nvd
CVE-2026-24833P4MEDIUMCVSS 5.4fixed in 9.13.10v>= 10.0.0, < 10.2.02026-01-28
CVE-2026-24833 [MEDIUM] CWE-79 CVE-2026-24833: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
nvd
CVE-2026-24838P4MEDIUMCVSS 5.4fixed in 9.13.10v>= 10.0.0, < 10.2.02026-01-28
CVE-2026-24838 [MEDIUM] CWE-79 CVE-2026-24838: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
nvd
CVE-2025-52485P4MEDIUMCVSS 5.4v>= 6.0.0, < 10.0.12025-06-21
CVE-2025-52485 [MEDIUM] CWE-79 CVE-2025-52485: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request to inject scripts in the Activity Feed Attachments endpoint which will then render in the feed. This issue has been patched in version 10.0.1.
ghsanvdosv
1 / 2Next →