CVE-2025-59547 MEDIUM

CVE-2025-59547: DNN's CKEditor File Uploader functionality vulnerable through Unicode obfuscation

Vendor Dnnsoftware
Product Dnn.Platform
Weakness CWE-176
Published September 23, 2025
Last update September 23, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, the CKEditor file upload endpoint has insufficient sanitization for filenames allowing probing network endpoints. A specially crafted request can be made to upload a file with Unicode characters, which would be translated into a path that could expose resources in the internal network of the hosted site. This issue has been patched in version 10.1.0.

Key dates

02Disclosure timeline

September 23, 2025 CVE published
September 23, 2025 Record updated