Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:nuget/DotNetNuke.Core@10.1.0
purl pkg:nuget/DotNetNuke.Core@10.1.0
Next non-vulnerable version 10.2.2
Latest non-vulnerable version 10.2.2
Risk 4.5
Vulnerabilities affecting this package (9)
Vulnerability Summary Fixed by
VCID-77qd-hb2k-8uam
Aliases:
CVE-2026-40306
GHSA-2rhw-gw3f-477j
DNN: Same HostGUID for all new installs DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 patches the issue.
10.2.2
Affected by 0 other vulnerabilities.
VCID-7u59-m3nn-q3gj
Aliases:
CVE-2026-40321
GHSA-ffq7-898w-9jc4
DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.2 patches the issue.
10.2.2
Affected by 0 other vulnerabilities.
VCID-cs7y-gg46-r3ca
Aliases:
CVE-2026-24836
GHSA-2g5g-hcgh-q3rp
DotNetNuke.Core Vulnerable to Stored XSS in Scheduler LogNotes Extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed.
10.2.0
Affected by 4 other vulnerabilities.
VCID-e5pw-7tpb-qyb8
Aliases:
CVE-2025-64094
GHSA-hmvq-8p83-cq52
DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload Sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios.
10.1.1
Affected by 8 other vulnerabilities.
VCID-k8b8-4muv-gye5
Aliases:
CVE-2026-40305
GHSA-fpj4-9qhx-5m6m
DNN: Force Friend Request Acceptance DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue.
10.2.2
Affected by 0 other vulnerabilities.
VCID-q3bw-2pvk-17dg
Aliases:
CVE-2026-24837
GHSA-vm5q-8qww-h238
DotNetNuke.Core Vulnerable to Stored XSS in Module Deletion Confirmation Modal A module friendly name could include scripts that will run during some module operations in the Persona Bar.
10.2.0
Affected by 4 other vulnerabilities.
VCID-q97q-u1zk-rqhd
Aliases:
CVE-2026-24784
GHSA-jjwg-4948-6wxp
DotNetNuke.Core has a potential XSS vulnerability in modules' header and footer A content editor could inject scripts in module headers/footers that would run for other users.
10.2.0
Affected by 4 other vulnerabilities.
VCID-r799-28wr-23bu
Aliases:
CVE-2026-24838
GHSA-w9pf-h6m6-v89h
DotNetNuke.Core Vulnerable to Stored XSS via Module Title Module title supports richtext which could include scripts that would execute in certain scenarios.
10.2.0
Affected by 4 other vulnerabilities.
VCID-s3s5-gwjg-rqgv
Aliases:
GHSA-fcpv-w245-r2q7
DotNetNuke.Core security code analysis rules triggered The codebase raises code analysis warnings related to security, including CA3075, CA5366, CA5371, CA5368, CA5369, CA5372, CA5379, CA5350, and CA5351. Most of these deal with disabling DTD processing in XML documents, but also includes cryptographic algorithm choices.
10.2.2
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (5)
Vulnerability Summary Aliases
VCID-erck-k36n-2yd2 DNN allows loading unused themes on anonymous clients through query parameters Arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner. CVE-2025-59535
GHSA-wq2j-w9pm-7x2p
VCID-m9cg-wd76-zqcy Duplicate This advisory duplicates another. CVE-2025-59539
GHSA-7rcc-q6rq-jpcm
VCID-msru-ycnu-zuhe DNN Vulnerable to Stored Cross-Site Scripting (XSS) in the Prompt module The Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be executed when processed through certain commands, leading to potential script execution (XSS). CVE-2025-59545
GHSA-2qxc-mf4x-wr29
VCID-y61z-d6sj-qucc DNN vulnerable to Reflected Cross-Site Scripting (XSS) using url to profile A reflected cross-site scripting (XSS) vulnerability exists under certain conditions, using a specially crafter url to view a user profile CVE-2025-59821
GHSA-jc4g-c8ww-5738
VCID-zfex-gefk-byfa DNN Vulnerable to Stored XSS Using Backend Admin Credentials Users that can edit modules could set a title that includes scripts. CVE-2025-59546
GHSA-gj8m-5492-q98h

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-07T20:51:25.219494+00:00 GHSA Importer Fixing VCID-m9cg-wd76-zqcy https://github.com/advisories/GHSA-7rcc-q6rq-jpcm 38.6.0
2026-06-07T20:51:25.170108+00:00 GHSA Importer Fixing VCID-erck-k36n-2yd2 https://github.com/advisories/GHSA-wq2j-w9pm-7x2p 38.6.0
2026-06-06T08:02:35.323401+00:00 GitLab Importer Affected by VCID-s3s5-gwjg-rqgv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/GHSA-fcpv-w245-r2q7.yml 38.6.0
2026-06-06T07:57:35.090148+00:00 GitLab Importer Affected by VCID-77qd-hb2k-8uam https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/CVE-2026-40306.yml 38.6.0
2026-06-06T07:56:52.653301+00:00 GitLab Importer Affected by VCID-k8b8-4muv-gye5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/CVE-2026-40305.yml 38.6.0
2026-06-06T07:54:59.038721+00:00 GitLab Importer Affected by VCID-7u59-m3nn-q3gj https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/CVE-2026-40321.yml 38.6.0
2026-06-06T06:46:44.741518+00:00 GitLab Importer Affected by VCID-cs7y-gg46-r3ca https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/CVE-2026-24836.yml 38.6.0
2026-06-06T06:46:33.839237+00:00 GitLab Importer Affected by VCID-q3bw-2pvk-17dg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/CVE-2026-24837.yml 38.6.0
2026-06-06T06:46:31.792735+00:00 GitLab Importer Affected by VCID-q97q-u1zk-rqhd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/CVE-2026-24784.yml 38.6.0
2026-06-06T06:46:08.736393+00:00 GitLab Importer Affected by VCID-r799-28wr-23bu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/CVE-2026-24838.yml 38.6.0
2026-06-06T06:18:16.551394+00:00 GitLab Importer Affected by VCID-e5pw-7tpb-qyb8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/CVE-2025-64094.yml 38.6.0
2026-06-05T21:50:20.936415+00:00 GHSA Importer Fixing VCID-y61z-d6sj-qucc https://github.com/advisories/GHSA-jc4g-c8ww-5738 38.6.0
2026-06-05T21:50:20.787037+00:00 GHSA Importer Fixing VCID-zfex-gefk-byfa https://github.com/advisories/GHSA-gj8m-5492-q98h 38.6.0
2026-06-05T21:50:20.631564+00:00 GHSA Importer Fixing VCID-msru-ycnu-zuhe https://github.com/advisories/GHSA-2qxc-mf4x-wr29 38.6.0
2026-06-04T17:08:28.751350+00:00 GithubOSV Importer Fixing VCID-y61z-d6sj-qucc https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-jc4g-c8ww-5738/GHSA-jc4g-c8ww-5738.json 38.6.0
2026-06-04T17:08:21.876897+00:00 GithubOSV Importer Fixing VCID-msru-ycnu-zuhe https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-2qxc-mf4x-wr29/GHSA-2qxc-mf4x-wr29.json 38.6.0
2026-06-04T17:08:14.507113+00:00 GithubOSV Importer Fixing VCID-zfex-gefk-byfa https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-gj8m-5492-q98h/GHSA-gj8m-5492-q98h.json 38.6.0
2026-06-04T17:07:51.562338+00:00 GithubOSV Importer Fixing VCID-m9cg-wd76-zqcy https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-7rcc-q6rq-jpcm/GHSA-7rcc-q6rq-jpcm.json 38.6.0
2026-06-04T17:07:51.222528+00:00 GithubOSV Importer Fixing VCID-erck-k36n-2yd2 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-wq2j-w9pm-7x2p/GHSA-wq2j-w9pm-7x2p.json 38.6.0
2026-06-02T04:47:56.551707+00:00 GitLab Importer Fixing VCID-y61z-d6sj-qucc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/CVE-2025-59821.yml 38.6.0
2026-06-02T04:47:56.423570+00:00 GitLab Importer Fixing VCID-zfex-gefk-byfa https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/CVE-2025-59546.yml 38.6.0
2026-06-02T04:47:56.281757+00:00 GitLab Importer Fixing VCID-msru-ycnu-zuhe https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/CVE-2025-59545.yml 38.6.0
2026-06-02T04:47:55.833802+00:00 GitLab Importer Fixing VCID-erck-k36n-2yd2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/CVE-2025-59535.yml 38.6.0
2026-06-02T04:47:55.549410+00:00 GitLab Importer Fixing VCID-m9cg-wd76-zqcy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/nuget/DotNetNuke.Core/CVE-2025-59539.yml 38.6.0