CVE-2025-52486: DNN.PLATFORM Allows Reflected Cross-Site Scripting (XSS) in some TokenReplace situations with SkinObjects

June 20, 2025 (updated June 27, 2025)

DNN.PLATFORM allows specially crafted content in URLs could be used with TokenReplace and not be properly sanitized by some SkinObjects. This vulnerability is fixed in 10.0.1.

References

github.com/advisories/GHSA-pf4h-vrv6-cmvr
github.com/dnnsoftware/Dnn.Platform
github.com/dnnsoftware/Dnn.Platform/commit/74f6de68da1572c1d7e9c6e30e9f77f7c5596b1b
github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-pf4h-vrv6-cmvr
nvd.nist.gov/vuln/detail/CVE-2025-52486

Code Behaviors & Features

Detect and mitigate CVE-2025-52486 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →