NuGet package
dotnetnuke.core
pkg:nuget/dotnetnuke.core
Vulnerabilities (35)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40321 | Hig | 8.0 | < 10.2.2 | 10.2.2 | Apr 17, 2026 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The | |
| CVE-2026-40306 | Med | 6.5 | >= 10.0.0, < 10.2.2 | 10.2.2 | Apr 17, 2026 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 patches the issue. | |
| CVE-2026-40305 | Med | 4.3 | >= 6.0.0, < 10.2.2 | 10.2.2 | Apr 17, 2026 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another | |
| CVE-2026-24838 | — | < 9.13.10 | 9.13.10 | Jan 27, 2026 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 con | ||
| CVE-2026-24837 | — | >= 9.0.0, <= 9.13.9 | — | Jan 27, 2026 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Person | ||
| CVE-2026-24836 | — | >= 9.0.0, <= 9.13.9 | — | Jan 27, 2026 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBa | ||
| CVE-2026-24784 | — | >= 9.0.0, < 9.13.10 | 9.13.10 | Jan 27, 2026 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versio | ||
| CVE-2025-64094 | — | < 10.1.1 | 10.1.1 | Oct 28, 2025 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. This vulnerability exists because of an incomplete fix fo | ||
| CVE-2025-59821 | — | < 10.1.0 | 10.1.0 | Sep 23, 2025 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, DNN’s URL/path handling and template rendering can allow specially crafted input to be reflected into a user profile that is returned to the brow | ||
| CVE-2025-59546 | — | < 10.1.0 | 10.1.0 | Sep 23, 2025 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, administrators and content editors can set html in module titles that could include javascript which could be used for XSS based attacks. This is | ||
| CVE-2025-59545 | — | < 10.1.0 | 10.1.0 | Sep 23, 2025 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be execute | ||
| CVE-2025-59539 | — | < 10.1.0 | 10.1.0 | Sep 23, 2025 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, when embedding information in the Biography field, even if that field is not rich-text, users could inject javascript code that would run in the | ||
| CVE-2025-59535 | — | < 10.1.0 | 10.1.0 | Sep 22, 2025 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this cou | ||
| CVE-2025-48377 | — | < 9.13.9 | 9.13.9 | May 23, 2025 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, a specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions. Version 9.13.9 fixes t | ||
| CVE-2025-48378 | — | < 9.13.9 | 9.13.9 | May 23, 2025 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks. Version 9.13.9 fixes the issue. | ||
| CVE-2025-32372 | — | < 9.13.8 | 9.13.8 | Apr 9, 2025 | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target sys | ||
| CVE-2022-2922 | — | < 9.11.0 | 9.11.0 | Sep 30, 2022 | Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to 9.11.0. | ||
| CVE-2020-5186 | — | <= 9.4.4 | — | Feb 24, 2020 | DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2). | ||
| CVE-2020-5187 | — | < 9.5.0 | 9.5.0 | Feb 24, 2020 | DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 of 2). | ||
| CVE-2020-5188 | — | <= 9.4.4 | — | Feb 24, 2020 | DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions. |
- affected < 10.2.2fixed 10.2.2
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The
- affected >= 10.0.0, < 10.2.2fixed 10.2.2
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 patches the issue.
- affected >= 6.0.0, < 10.2.2fixed 10.2.2
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another
- CVE-2026-24838Jan 27, 2026affected < 9.13.10fixed 9.13.10
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 con
- CVE-2026-24837Jan 27, 2026affected >= 9.0.0, <= 9.13.9
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Person
- CVE-2026-24836Jan 27, 2026affected >= 9.0.0, <= 9.13.9
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBa
- CVE-2026-24784Jan 27, 2026affected >= 9.0.0, < 9.13.10fixed 9.13.10
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versio
- CVE-2025-64094Oct 28, 2025affected < 10.1.1fixed 10.1.1
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. This vulnerability exists because of an incomplete fix fo
- CVE-2025-59821Sep 23, 2025affected < 10.1.0fixed 10.1.0
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, DNN’s URL/path handling and template rendering can allow specially crafted input to be reflected into a user profile that is returned to the brow
- CVE-2025-59546Sep 23, 2025affected < 10.1.0fixed 10.1.0
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, administrators and content editors can set html in module titles that could include javascript which could be used for XSS based attacks. This is
- CVE-2025-59545Sep 23, 2025affected < 10.1.0fixed 10.1.0
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be execute
- CVE-2025-59539Sep 23, 2025affected < 10.1.0fixed 10.1.0
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, when embedding information in the Biography field, even if that field is not rich-text, users could inject javascript code that would run in the
- CVE-2025-59535Sep 22, 2025affected < 10.1.0fixed 10.1.0
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this cou
- CVE-2025-48377May 23, 2025affected < 9.13.9fixed 9.13.9
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, a specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions. Version 9.13.9 fixes t
- CVE-2025-48378May 23, 2025affected < 9.13.9fixed 9.13.9
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks. Version 9.13.9 fixes the issue.
- CVE-2025-32372Apr 9, 2025affected < 9.13.8fixed 9.13.8
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target sys
- CVE-2022-2922Sep 30, 2022affected < 9.11.0fixed 9.11.0
Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to 9.11.0.
- CVE-2020-5186Feb 24, 2020affected <= 9.4.4
DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2).
- CVE-2020-5187Feb 24, 2020affected < 9.5.0fixed 9.5.0
DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 of 2).
- CVE-2020-5188Feb 24, 2020affected <= 9.4.4
DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions.
Page 1 of 2