cbcvebase.

Dnnsoftware Dotnetnuke vulnerabilities

75 known vulnerabilities affecting dnnsoftware/dotnetnuke.

Total CVEs
75
CISA KEV
3
actively exploited
Public exploits
14
Exploited in wild
6
Severity breakdown
CRITICAL3HIGH16MEDIUM54LOW2

Vulnerabilities

Page 1 of 4
CVE-2017-9822P1HIGHCVSS 8.8KEVPoCRansomwarefixed in 9.1.12017-07-20
CVE-2017-9822 [HIGH] CWE-94 CVE-2017-9822: DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Po DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."
nvd
CVE-2018-18325P1HIGHCVSS 7.5KEVPoC≥ 9.2, ≤ 9.2.22019-07-03
CVE-2018-18325 [HIGH] CVE-2018-18325: DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.
nvd
CVE-2018-15811P1HIGHCVSS 7.5KEVPoC≥ 9.2, ≤ 9.2.12019-07-03
CVE-2018-15811 [HIGH] CWE-326 CVE-2018-15811: DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters. DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.
nvd
CVE-2025-64095P1CRITICALCVSS 9.8ExploitedPoCfixed in 10.1.12025-10-28
CVE-2025-64095 [CRITICAL] CWE-434 CVE-2025-64095: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. An unauthenticated user can upload and replace existing files allowing defacing a website and combined with othe
nvd
CVE-2025-52488P1HIGHCVSS 8.6ExploitedPoC≥ 6.0.0, < 10.0.12025-06-21
CVE-2025-52488 [HIGH] CWE-200 CVE-2025-52488: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted series of malicious interaction to potentially expose NTLM hashes to a third party SMB server. This issue has been patched in version 10.0.1.
nvd
CVE-2017-0929P2HIGHCVSS 7.5ExploitedPoCfixed in 9.2.02018-07-03
CVE-2017-0929 [HIGH] CWE-918 CVE-2017-0929: DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.
nvd
CVE-2015-2794P1CRITICALCVSS 9.8PoC≤ 07.04.002017-02-06
CVE-2015-2794 [CRITICAL] CWE-264 CVE-2015-2794: The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the ap The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
nvd
CVE-2018-18326P2HIGHCVSS 7.5PoC≥ 9.2, ≤ 9.2.22019-07-03
CVE-2018-18326 [HIGH] CVE-2018-18326: DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.
nvd
CVE-2018-15812P2HIGHCVSS 7.5PoC≥ 9.2, ≤ 9.2.12019-07-03
CVE-2018-15812 [HIGH] CWE-331 CVE-2018-15812: DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.
nvd
CVE-2019-12562P3MEDIUMCVSS 6.1PoCfixed in 9.4.02019-09-26
CVE-2019-12562 [MEDIUM] CWE-79 CVE-2019-12562: Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to stor Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges such as managing content, adding users, uploading backdoors to the server, etc. Successful exploitation occurs when
nvd
CVE-2026-40321P3HIGHCVSS 8.0fixed in 10.2.22026-04-17
CVE-2026-40321 [HIGH] CWE-87 CVE-2026-40321: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.
nvd
CVE-2008-6540P3MEDIUMCVSS 5.1PoC≤ 4.8.1v1.0.6+15 more2009-03-30
CVE-2008-6540 [MEDIUM] CWE-264 CVE-2008-6540: DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the de DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.
nvd
CVE-2025-59545P3CRITICALCVSS 9.0fixed in 10.1.02025-09-23
CVE-2025-59545 [CRITICAL] CWE-79 CVE-2025-59545: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be executed when processed through certain commands, leading to potential script
nvd
CVE-2020-5187P3HIGHCVSS 8.8≤ 9.4.42020-02-24
CVE-2020-5187 [HIGH] CWE-22 CVE-2020-5187: DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 of 2). DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 of 2).
nvd
CVE-2025-32372P3HIGHCVSS 7.5fixed in 9.13.82025-04-09
CVE-2025-32372 [HIGH] CVE-2025-32372: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks. This vulnerability facilitates a s
nvd
CVE-2025-52487P3HIGHCVSS 7.5≥ 7.0.0, < 10.0.12025-06-21
CVE-2025-52487 [HIGH] CWE-863 CVE-2025-52487: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 7.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request or proxy to be created that could bypass the design of DNN Login IP Filters allowing login attempts from IP Addresses not in the allow list. This issue has bee
nvd
CVE-2021-40186P3HIGHCVSS 7.5≤ 9.10.22022-06-02
CVE-2021-40186 [HIGH] CWE-918 CVE-2021-40186: The AppCheck research team identified a Server-Side Request Forgery (SSRF) vulnerability within the The AppCheck research team identified a Server-Side Request Forgery (SSRF) vulnerability within the DNN CMS platform, formerly known as DotNetNuke. SSRF vulnerabilities allow the attacker to exploit the target system to make network requests on their behalf, allowing a range of possible attacks. In the most common scenario, the attacker exploits SSRF v
nvd
CVE-2025-32035P3HIGHCVSS 7.5fixed in 9.13.22025-04-08
CVE-2025-32035 [HIGH] CWE-351 CVE-2025-32035: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 9.13.2, when uploading files (e.g. when uploading assets), the file extension is checked to see if it's an allowed file type but the actual contents of the file aren't checked. This means that it's possible to e.g. upload an executabl
nvd
CVE-2010-4514P4MEDIUMCVSS 4.3PoCv5.05.01v5.06.002010-12-09
CVE-2010-4514 [MEDIUM] CWE-79 CVE-2010-4514: Cross-site scripting (XSS) vulnerability in Install/InstallWizard.aspx in DotNetNuke 5.05.01 and 5.0 Cross-site scripting (XSS) vulnerability in Install/InstallWizard.aspx in DotNetNuke 5.05.01 and 5.06.00 allows remote attackers to inject arbitrary web script or HTML via the __VIEWSTATE parameter. NOTE: some of these details are obtained from third party information.
nvd
CVE-2008-6644P4MEDIUMCVSS 4.3PoC≤ 4.8.3v1.0.6+17 more2009-04-07
CVE-2008-6644 [MEDIUM] CWE-79 CVE-2008-6644: Cross-site scripting (XSS) vulnerability in Default.aspx in DotNetNuke 4.8.3 and earlier allows remo Cross-site scripting (XSS) vulnerability in Default.aspx in DotNetNuke 4.8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
nvd
Dnnsoftware Dotnetnuke vulnerabilities | cvebase