CVE-2025-48378: DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline

May 23, 2025 (updated October 31, 2025)

Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks.

References

github.com/advisories/GHSA-m4hf-fxcg-cp34
github.com/dnnsoftware/Dnn.Platform
github.com/dnnsoftware/Dnn.Platform/commit/cfed83c291d5e5072b2fa70924a8b7c35b1cdf9e
github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-m4hf-fxcg-cp34
nvd.nist.gov/vuln/detail/CVE-2025-48378

Code Behaviors & Features

Detect and mitigate CVE-2025-48378 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →