Dnnsoftware Dotnetnuke vulnerabilities
75 known vulnerabilities affecting dnnsoftware/dotnetnuke.
Total CVEs
75
CISA KEV
3
actively exploited
Public exploits
14
Exploited in wild
6
Severity breakdown
CRITICAL3HIGH16MEDIUM54LOW2
Vulnerabilities
Page 2 of 4
CVE-2025-32374P3HIGHCVSS 7.5fixed in 9.13.82025-04-09
CVE-2025-32374 [HIGH] CWE-770 CVE-2025-32374: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Possible denial of service with specially crafted information in the public registration form. This vulnerability is fixed in 9.13.8.
nvd
CVE-2006-4973P4MEDIUMCVSS 4.3PoCv1.0.6v1.0.7+10 more2006-09-25
CVE-2006-4973 [MEDIUM] CVE-2006-4973: Cross-site scripting (XSS) vulnerability in Default.aspx in Perpetual Motion Interactive Systems Dot
Cross-site scripting (XSS) vulnerability in Default.aspx in Perpetual Motion Interactive Systems DotNetNuke before 3.3.5, and 4.x before 4.3.5, allows remote attackers to inject arbitrary HTML via the error parameter.
nvd
CVE-2025-32373P3MEDIUMCVSS 6.5fixed in 9.13.82025-04-09
CVE-2025-32373 [MEDIUM] CWE-639 CVE-2025-32373: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In limited configurations, registered users may be able to craft a request to enumerate/access some portal files they should not have access to. This vulnerability is fixed in 9.13.8.
nvd
CVE-2008-7102P3HIGHCVSS 7.5v2.1.1v2.1.2+20 more2009-08-27
CVE-2008-7102 [HIGH] CWE-20 CVE-2008-7102: DotNetNuke 2.0 through 4.8.4 allows remote attackers to load .ascx files instead of skin files, and
DotNetNuke 2.0 through 4.8.4 allows remote attackers to load .ascx files instead of skin files, and possibly access privileged functionality, via unknown vectors related to parameter validation.
nvd
CVE-2025-59535P3MEDIUMCVSS 6.5fixed in 10.1.02025-09-22
CVE-2025-59535 [MEDIUM] CWE-20 CVE-2025-59535: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner
nvd
CVE-2026-40306P3MEDIUMCVSS 6.5≥ 10.0.0, < 10.2.22026-04-17
CVE-2026-40306 [MEDIUM] CWE-330 CVE-2026-40306: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 patches the issue.
nvd
CVE-2025-32036P4MEDIUMCVSS 6.5fixed in 9.13.82025-04-08
CVE-2025-32036 [MEDIUM] CWE-804 CVE-2025-32036: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. The algorithm used to generate the captcha image shows the least complexity of the desired image. For this reason, the created image can be easily read by OCR tools, and the intruder can send automatic requests by building a robot and using
nvd
CVE-2008-6541P4MEDIUMCVSS 6.8≤ 4.8.1v1.0.6+15 more2009-03-30
CVE-2008-6541 [MEDIUM] CWE-20 CVE-2008-6541: Unrestricted file upload vulnerability in the file manager module in DotNetNuke before 4.8.2 allows
Unrestricted file upload vulnerability in the file manager module in DotNetNuke before 4.8.2 allows remote administrators to upload arbitrary files and gain privileges to the server via unspecified vectors.
nvd
CVE-2008-7100P4MEDIUMCVSS 6.5v4.4.1v4.5.2+11 more2009-08-27
CVE-2008-7100 [MEDIUM] CVE-2008-7100: Unspecified vulnerability in DotNetNuke 4.4.1 through 4.8.4 allows remote authenticated users to byp
Unspecified vulnerability in DotNetNuke 4.4.1 through 4.8.4 allows remote authenticated users to bypass authentication and gain privileges via unknown vectors related to a "unique id" for user actions and improper validation of a "user identity."
nvd
CVE-2025-59547P4MEDIUMCVSS 5.3fixed in 10.1.02025-09-23
CVE-2025-59547 [MEDIUM] CWE-176 CVE-2025-59547: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the CKEditor file upload endpoint has insufficient sanitization for filenames allowing probing network endpoints. A specially crafted request can be made to upload a file with Unicode characters, which would be trans
nvd
CVE-2020-5188P4MEDIUMCVSS 6.5≤ 9.4.42020-02-24
CVE-2020-5188 [MEDIUM] CWE-434 CVE-2020-5188: DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions.
DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions.
nvd
CVE-2004-2324P4HIGHCVSS 7.5v1.0.6v1.0.7+3 more2004-12-31
CVE-2004-2324 [HIGH] CVE-2004-2324: SQL injection vulnerability in DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows r
SQL injection vulnerability in DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows remote attackers to modify the backend database via the (1) table and (2) field parameters in LinkClick.aspx.
nvd
CVE-2022-47053P4MEDIUMCVSS 5.4≥ 7.0.0, ≤ 9.10.22023-04-12
CVE-2022-47053 [MEDIUM] CWE-79 CVE-2022-47053: An arbitrary file upload vulnerability in the Digital Assets Manager module of DNN Corp DotNetNuke v
An arbitrary file upload vulnerability in the Digital Assets Manager module of DNN Corp DotNetNuke v7.0.0 to v9.10.2 allows attackers to execute arbitrary code via a crafted SVG file.
nvd
CVE-2008-6399P4MEDIUMCVSS 6.4v4.5.2v4.8.1+4 more2009-03-05
CVE-2008-6399 [MEDIUM] CWE-264 CVE-2008-6399: Unspecified vulnerability in DotNetNuke 4.5.2 through 4.9 allows remote attackers to "add additional
Unspecified vulnerability in DotNetNuke 4.5.2 through 4.9 allows remote attackers to "add additional roles to their user account" via unknown attack vectors.
nvd
CVE-2025-52486P4MEDIUMCVSS 6.1≥ 6.0.0, < 10.0.12025-06-21
CVE-2025-52486 [MEDIUM] CWE-79 CVE-2025-52486: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows specially crafted content in URLs to be used with TokenReplace and not be properly sanitized by some SkinObjects. This issue has been patched in version 10.0.1.
nvd
CVE-2025-59548P4MEDIUMCVSS 6.1fixed in 10.1.02025-09-23
CVE-2025-59548 [MEDIUM] CWE-79 CVE-2025-59548: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, specially crafted URLs to the FileBrowser are vulnerable to javascript injection, affecting any unsuspecting user clicking such link. This issue has been patched in version 10.1.0.
nvd
CVE-2026-24837P4MEDIUMCVSS 5.4≥ 9.0.0, < 9.13.10≥ 10.0.0, < 10.2.02026-01-28
CVE-2026-24837 [MEDIUM] CWE-79 CVE-2026-24837: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
nvd
CVE-2026-24836P4MEDIUMCVSS 5.4≥ 9.0.0, < 9.13.10≥ 10.0.0, < 10.2.02026-01-28
CVE-2026-24836 [MEDIUM] CWE-79 CVE-2026-24836: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issu
nvd
CVE-2026-24833P4MEDIUMCVSS 5.4fixed in 9.13.10≥ 10.0.0, < 10.2.02026-01-28
CVE-2026-24833 [MEDIUM] CWE-79 CVE-2026-24833: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
nvd
CVE-2026-24838P4MEDIUMCVSS 5.4fixed in 9.13.10≥ 10.0.0, < 10.2.02026-01-28
CVE-2026-24838 [MEDIUM] CWE-79 CVE-2026-24838: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
nvd