CVE-2025-48378: DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline

May 23, 2025

Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks.

References

github.com/advisories/GHSA-m4hf-fxcg-cp34
github.com/dnnsoftware/Dnn.Platform
github.com/dnnsoftware/Dnn.Platform/commit/cfed83c291d5e5072b2fa70924a8b7c35b1cdf9e
github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-m4hf-fxcg-cp34
nvd.nist.gov/vuln/detail/CVE-2025-48378

Code Behaviors & Features

Detect and mitigate CVE-2025-48378 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →