CVE-2025-48378 MEDIUM

CVE-2025-48378: Dnn.Platform vulnerable to Stored Cross-Site Scripting (XSS) with svg files rendered inline

Vendor Dnnsoftware

Product Dnn.Platform

Weakness CWE-79 · XSS

Published May 23, 2025

Last update May 23, 2025

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 9.13.9, uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks. Version 9.13.9 fixes the issue.

Key dates

02Disclosure timeline

May 23, 2025 CVE published

May 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-48378 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2026-32419 WordPress List category posts plugin <= 0.93.1 - Cross Site Scripting (XSS) vulnerability CVE-2022-39279 Discourse-chat plugin susceptible to XSS in channel name and description CVE-2021-24878 SupportCandy < 2.2.7 - Reflected Cross-Site Scripting CVE-2026-28343 CKEditor: Cross-site scripting (XSS) in the HTML Support package CVE-2024-5884 Beauty <= 1.1.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting via tpl_featured_cat_id Parameter