Search for packages
| purl | pkg:nuget/DotNetNuke.Core@9.11.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2d1y-21mg-9kdx
Aliases: CVE-2025-59546 GHSA-gj8m-5492-q98h |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, administrators and content editors can set html in module titles that could include javascript which could be used for XSS based attacks. This issue has been patched in version 10.1.0. |
Affected by 9 other vulnerabilities. |
|
VCID-4wd1-t7cm-9yd2
Aliases: CVE-2025-48378 GHSA-m4hf-fxcg-cp34 |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks. Version 9.13.9 fixes the issue. |
Affected by 13 other vulnerabilities. |
|
VCID-6227-44sm-nkbb
Aliases: CVE-2026-24836 GHSA-2g5g-hcgh-q3rp |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issue. |
Affected by 4 other vulnerabilities. |
|
VCID-as6z-jr8m-6kbm
Aliases: CVE-2025-59821 GHSA-jc4g-c8ww-5738 |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, DNN’s URL/path handling and template rendering can allow specially crafted input to be reflected into a user profile that is returned to the browser. In these cases, the application does not sufficiently neutralize or encode characters that are meaningful in HTML, so an attacker can cause a victim’s browser to interpret attacker-controlled content as part of the page’s HTML. This issue has been patched in version 10.1.0. |
Affected by 9 other vulnerabilities. |
|
VCID-axxm-bb71-33dj
Aliases: CVE-2026-40321 GHSA-ffq7-898w-9jc4 |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.2 patches the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-c87b-2p6c-xqh8
Aliases: CVE-2025-59539 GHSA-7rcc-q6rq-jpcm |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, when embedding information in the Biography field, even if that field is not rich-text, users could inject javascript code that would run in the context of the website and to any other user that can view the profile including administrators and/or superusers. This issue has been patched in version 10.1.0. |
Affected by 9 other vulnerabilities. |
|
VCID-epah-7729-rqba
Aliases: CVE-2025-59545 GHSA-2qxc-mf4x-wr29 |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be executed when processed through certain commands, leading to potential script execution (XSS). This issue has been patched in version 10.1.0. |
Affected by 9 other vulnerabilities. |
|
VCID-f55k-m678-vbfr
Aliases: CVE-2025-48377 GHSA-79m3-rvx2-3qq9 |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, a specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions. Version 9.13.9 fixes the issue. |
Affected by 13 other vulnerabilities. |
|
VCID-fyxq-vtfm-s3ec
Aliases: CVE-2026-24838 GHSA-w9pf-h6m6-v89h |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain a fix for the issue. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-k89y-aedv-uugd
Aliases: CVE-2026-24837 GHSA-vm5q-8qww-h238 |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue. |
Affected by 4 other vulnerabilities. |
|
VCID-kwns-m3j3-8kb7
Aliases: CVE-2026-40305 GHSA-fpj4-9qhx-5m6m |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-q3he-ta5n-hkec
Aliases: CVE-2025-32372 GHSA-3f7v-qx94-666m |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requests against target systems, including internal or adjacent networks. This vulnerability facilitates a semi-blind SSRF attack, allowing attackers to make the target server send requests to internal or external URLs without viewing the full responses. Potential impacts include internal network reconnaissance, bypassing firewalls. This vulnerability is fixed in 9.13.8. |
Affected by 15 other vulnerabilities. |
|
VCID-q7dx-jb8e-wua4
Aliases: GHSA-fcpv-w245-r2q7 |
DotNetNuke.Core security code analysis rules triggered The codebase raises code analysis warnings related to security, including CA3075, CA5366, CA5371, CA5368, CA5369, CA5372, CA5379, CA5350, and CA5351. Most of these deal with disabling DTD processing in XML documents, but also includes cryptographic algorithm choices. |
Affected by 0 other vulnerabilities. |
|
VCID-smd5-xy65-jufc
Aliases: CVE-2025-64094 GHSA-hmvq-8p83-cq52 |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. This vulnerability exists because of an incomplete fix for CVE-2025-48378. This vulnerability is fixed in 10.1.1. |
Affected by 8 other vulnerabilities. |
|
VCID-trdq-rcjg-s7gy
Aliases: CVE-2025-59535 GHSA-wq2j-w9pm-7x2p |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner. This issue has been patched in version 10.1.0. |
Affected by 9 other vulnerabilities. |
|
VCID-wau9-knn5-vqbp
Aliases: CVE-2026-24784 GHSA-jjwg-4948-6wxp |
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versions 9.13.10 and 10.2.0 contain a fix for the issue. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||