CVE-2025-64094 MEDIUM

CVE-2025-64094: DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload

Vendor Dnnsoftware
Product Dnn.Platform
Weakness CWE-79 · XSS
Published October 28, 2025
Last update October 29, 2025

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. This vulnerability exists because of an incomplete fix for CVE-2025-48378. This vulnerability is fixed in 10.1.1.

Key dates

02Disclosure timeline

October 28, 2025 CVE published
October 29, 2025 Record updated