Dnnsoftware Dotnetnuke vulnerabilities
75 known vulnerabilities affecting dnnsoftware/dotnetnuke.
Total CVEs
75
CISA KEV
3
actively exploited
Public exploits
14
Exploited in wild
6
Severity breakdown
CRITICAL3HIGH16MEDIUM54LOW2
Vulnerabilities
Page 3 of 4
CVE-2025-64094P4MEDIUMCVSS 5.4fixed in 10.1.12025-10-28
CVE-2025-64094 [MEDIUM] CVE-2025-64094: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. This vulnerability exists because of an incomplete fix for CVE-2025-48378. This vulnerability is fixed in 10.1.1.
nvd
CVE-2025-52485P4MEDIUMCVSS 5.4≥ 6.0.0, < 10.0.12025-06-21
CVE-2025-52485 [MEDIUM] CWE-79 CVE-2025-52485: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. In versions 6.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request to inject scripts in the Activity Feed Attachments endpoint which will then render in the feed. This issue has been patched in version 10.0.1.
nvd
CVE-2025-59821P4MEDIUMCVSS 6.1fixed in 10.1.02025-09-23
CVE-2025-59821 [MEDIUM] CWE-79 CVE-2025-59821: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, DNN’s URL/path handling and template rendering can allow specially crafted input to be reflected into a user profile that is returned to the browser. In these cases, the application does not sufficiently neutralize or
nvd
CVE-2020-37103P4MEDIUMCVSS 5.4≤ 9.5.02026-02-03
CVE-2020-37103 [MEDIUM] CWE-79 CVE-2020-37103: DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to
DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users' browsers, potentially bypassing CSRF protections and performing more damaging
nvd
CVE-2025-59539P4MEDIUMCVSS 5.4fixed in 10.1.0v10.1.02025-09-23
CVE-2025-59539 [MEDIUM] CWE-79 CVE-2025-59539: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, when embedding information in the Biography field, even if that field is not rich-text, users could inject javascript code that would run in the context of the website and to any other user that can view the profile i
nvd
CVE-2025-48377P4MEDIUMCVSS 5.4fixed in 9.13.92025-05-23
CVE-2025-48377 [MEDIUM] CWE-79 CVE-2025-48377: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, a specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions. Version 9.13.9 fixes the issue.
nvd
CVE-2025-48378P4MEDIUMCVSS 5.4fixed in 9.13.92025-05-23
CVE-2025-48378 [MEDIUM] CWE-79 CVE-2025-48378: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks. Version 9.13.9 fixes the issue.
nvd
CVE-2018-14486P4MEDIUMCVSS 6.1v9.1.12019-03-21
CVE-2018-14486 [MEDIUM] CWE-79 CVE-2018-14486: DNN (formerly DotNetNuke) 9.1.1 allows cross-site scripting (XSS) via XML.
DNN (formerly DotNetNuke) 9.1.1 allows cross-site scripting (XSS) via XML.
nvd
CVE-2020-5186P4MEDIUMCVSS 5.4≤ 9.4.42020-02-24
CVE-2020-5186 [MEDIUM] CWE-79 CVE-2020-5186: DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2).
DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2).
nvd
CVE-2021-31858P4MEDIUMCVSS 5.4≤ 9.10.22022-07-20
CVE-2021-31858 [MEDIUM] CWE-79 CVE-2021-31858: DotNetNuke (DNN) 9.9.1 CMS is vulnerable to a Stored Cross-Site Scripting vulnerability in the user
DotNetNuke (DNN) 9.9.1 CMS is vulnerable to a Stored Cross-Site Scripting vulnerability in the user profile biography section which allows remote authenticated users to inject arbitrary code via a crafted payload.
nvd
CVE-2022-2922P4MEDIUMCVSS 4.9fixed in 9.11.02022-09-30
CVE-2022-2922 [MEDIUM] CWE-23 CVE-2022-2922: Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to 9.11.0.
Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to 9.11.0.
nvd
CVE-2016-7119P4MEDIUMCVSS 5.4≤ 08.00.042016-08-31
CVE-2016-7119 [MEDIUM] CWE-79 CVE-2016-7119: Cross-site scripting (XSS) vulnerability in the user-profile biography section in DotNetNuke (DNN) b
Cross-site scripting (XSS) vulnerability in the user-profile biography section in DotNetNuke (DNN) before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element.
nvd
CVE-2009-4109P4MEDIUMCVSS 5.0v4.0v4.3.5+22 more2009-11-29
CVE-2009-4109 [MEDIUM] CWE-200 CVE-2009-4109: The install wizard in DotNetNuke 4.0 through 5.1.4 does not prevent anonymous users from accessing f
The install wizard in DotNetNuke 4.0 through 5.1.4 does not prevent anonymous users from accessing functionality related to determination of the need for an upgrade, which allows remote attackers to access version information and possibly other sensitive information.
nvd
CVE-2025-59546P4MEDIUMCVSS 4.8fixed in 10.1.02025-09-23
CVE-2025-59546 [MEDIUM] CWE-79 CVE-2025-59546: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, administrators and content editors can set html in module titles that could include javascript which could be used for XSS based attacks. This issue has been patched in version 10.1.0.
nvd
CVE-2026-24784P4MEDIUMCVSS 4.8≥ 9.0.0, < 9.13.10≥ 10.0.0, < 10.2.02026-01-28
CVE-2026-24784 [MEDIUM] CWE-79 CVE-2026-24784: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
nvd
CVE-2025-62802P4MEDIUMCVSS 4.3fixed in 10.1.12025-10-28
CVE-2025-62802 [MEDIUM] CWE-434 CVE-2025-62802: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the out-of-box experience for HTML editing allows unauthenticated users to upload files. This opens a potential vector to other security issues and is not needed on most implementations. This vulnerability is fixed in 10.1.1
nvd
CVE-2026-40305P4MEDIUMCVSS 4.3≥ 6.0.0, < 10.2.22026-04-17
CVE-2026-40305 [MEDIUM] CWE-285 CVE-2026-40305: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft e
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue.
nvd
CVE-2004-2323P4MEDIUMCVSS 5.0v1.0.6v1.0.7+3 more2004-12-31
CVE-2004-2323 [MEDIUM] CVE-2004-2323: DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows remote attackers to obtain sensi
DotNetNuke (formerly IBuySpy Workshop) 1.0.6 through 1.0.10d allows remote attackers to obtain sensitive information, including the SQL server username and password, via a GET request for source or configuration files such as Web.config.
nvd
CVE-2020-11585P4MEDIUMCVSS 4.3v9.5.02020-04-06
CVE-2020-11585 [MEDIUM] CWE-330 CVE-2020-11585: There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activi
There is an information disclosure issue in DNN (formerly DotNetNuke) 9.5 within the built-in Activity-Feed/Messaging/Userid/ Message Center module. A registered user is able to enumerate any file in the Admin File Manager (other than ones contained in a secure folder) by sending themselves a message with the file attached, e.g., by using an arbitra
nvd
CVE-2008-6542P4MEDIUMCVSS 4.6≤ 4.8.1v1.0.6+13 more2009-03-30
CVE-2008-6542 [MEDIUM] CVE-2008-6542: Unspecified vulnerability in the Skin Manager in DotNetNuke before 4.8.2 allows remote authenticated
Unspecified vulnerability in the Skin Manager in DotNetNuke before 4.8.2 allows remote authenticated administrators to perform "server-side execution of application logic" by uploading a static file that is converted into a dynamic script via unknown vectors related to HTM or HTML files.
nvd