DotNetNuke.Core
NuGet24 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting DotNetNuke.Corepage 1 of 1
- CVE-2007-0660NONECVSS 0.0EG 0.0✓ Fixed in 03.02.012007-02-01
Cross-site scripting (XSS) vulnerability in the IFrame module before 03.02.01 for DotNetNuke (DNN) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "Pass through values."
- CVE-2008-6540NONECVSS 0.0EG 0.0✓ Fixed in 4.8.22009-03-30
DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass int…
- CVE-2013-4649NONECVSS 0.0EG 0.0✓ Fixed in 7.1.12014-03-12
vulnerable: 7.0.0, 7.0.6.121, 7.1.0
Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote attackers to inject arbitrary web script or HTML via the __dnnVariable parameter to the default URI.
- CVE-2013-7335NONECVSS 0.0EG 0.0✓ Fixed in 7.1.12014-03-12
vulnerable: 7.0.0, 7.0.6.121, 7.1.0
Open redirect vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
- CVE-2015-1566NONECVSS 0.0EG 0.0✓ Fixed in 7.4.02015-02-09
vulnerable: 6.0.0 ... 7.3.1.20 (8 versions)
Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 7.4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2015-2794CRITICALCVSS 9.8EG 9.8✓ Fixed in 7.4.12017-02-06
vulnerable: 6.0.0 ... 7.4.0.353 (9 versions)
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
- CVE-2016-7119MEDIUMCVSS 5.4EG 5.4✓ Fixed in 8.0.12016-08-31
vulnerable: 6.0.0 ... 8.0.0.809 (12 versions)
Cross-site scripting (XSS) vulnerability in the user-profile biography section in DotNetNuke (DNN) before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element.
- CVE-2017-0929HIGHCVSS 7.5EG 9.0✓ Fixed in 9.2.02018-07-03
vulnerable: 6.0.0 ... 9.1.1.129 (20 versions)
DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.
- CVE-2017-9822HIGHCVSS 8.8EG 9.0⚠ KEV✓ Fixed in 9.1.12017-07-20
vulnerable: 6.0.0 ... 9.1.0.367 (19 versions)
DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites."
- CVE-2018-14486MEDIUMCVSS 6.1EG 6.12019-03-21
vulnerable: 6.0.0 ... 9.1.0.367 (19 versions)
DNN (formerly DotNetNuke) 9.1.1 allows cross-site scripting (XSS) via XML.
- CVE-2018-15811HIGHCVSS 7.5EG 9.0⚠ KEV✓ Fixed in 9.2.22019-07-03
vulnerable: 9.2.0.366, 9.2.1.533
DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.
- CVE-2018-15812HIGHCVSS 7.5EG 7.5✓ Fixed in 9.2.22019-07-03
vulnerable: 9.2.0.366, 9.2.1.533
DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.
- CVE-2018-18325HIGHCVSS 7.5EG 9.0⚠ KEV✓ Fixed in 9.3.02019-07-03
vulnerable: 6.0.0 ... 9.2.1.533 (22 versions)
DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.
- CVE-2018-18326HIGHCVSS 7.5EG 7.5✓ Fixed in 9.3.02019-07-03
vulnerable: 6.0.0 ... 9.2.1.533 (22 versions)
DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.
- CVE-2019-12562MEDIUMCVSS 6.1EG 6.1✓ Fixed in 9.4.02019-09-26
vulnerable: 6.0.0 ... 9.3.2 (25 versions)
Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with admin privileges suc…
- CVE-2020-5186MEDIUMCVSS 5.4EG 5.42020-02-24
vulnerable: 6.0.0 ... 9.4.4 (30 versions)
DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2).
- CVE-2020-5187HIGHCVSS 8.8EG 8.8✓ Fixed in 9.5.02020-02-24
vulnerable: 6.0.0 ... 9.4.4 (30 versions)
DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 of 2).
- CVE-2020-5188MEDIUMCVSS 6.5EG 6.52020-02-24
vulnerable: 6.0.0 ... 9.4.4 (30 versions)
DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions.
- CVE-2022-2922MEDIUMCVSS 4.9EG 4.9✓ Fixed in 9.11.02022-09-30
vulnerable: 6.0.0 ... 9.9.1 (42 versions)
Relative Path Traversal in GitHub repository dnnsoftware/dnn.platform prior to 9.11.0.
- CVE-2025-32372MEDIUMCVSS 6.5EG 6.5✓ Fixed in 9.13.82025-04-09
vulnerable: 6.0.0 ... 9.9.1 (57 versions)
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute …
- CVE-2025-59535MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.1.02025-09-22
vulnerable: 10.0.0 ... 9.9.1 (61 versions)
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even…
- CVE-2026-40305MEDIUMCVSS 4.3EG 4.3✓ Fixed in 10.2.22026-04-17
vulnerable: 10.0.0 ... 9.9.1 (66 versions)
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the …
- CVE-2026-40306MEDIUMCVSS 6.5EG 6.5✓ Fixed in 10.2.22026-04-17
vulnerable: 10.0.0 ... 10.2.1 (7 versions)
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 pa…
- CVE-2026-40321HIGHCVSS 8.0EG 8.0✓ Fixed in 10.2.22026-04-17
vulnerable: 10.0.0 ... 9.9.1 (66 versions)
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authent…
Check whether DotNetNuke.Core is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for DotNetNuke.Core CVEs against the assets you own.
Start Free Scan →