CVE-2025-64094

Summary

Sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios.

Details

DNN validates the contents of SVG's to ensure they are valid and do not contain any malicious code. These checks were introduced as part of CVE-2025-48378.

However, the checks to ensure there are no script elements within the SVG files are not comprehensive and may allow some malicious SVG files to be uploaded.

As this vulnerability allows for the execution of arbitrary JavaScript code within the context of the user's browser, it can lead to a range of attacks, including data exfiltration, session hijacking, and defacement of the web application to name a few.

Published: Oct 29, 2025
Updated: Oct 30, 2025
CVE: CVE-2025-64094
GHSA: GHSA-hmvq-8p83-cq52
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
DotNetNuke.Core	-	10.1.1

https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-hmvq-8p83-cq52

Vulnerability Database

CVE-2025-64094

Summary

Details

Deep Security Visibility Without the Complexity