CVE-2025-59535: DNN allows loading unused themes on anonymous clients through query parameters
Arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on unsuspecting clients without knowledge of the site owner.
References
- dnncommunity.org/?SkinSrc=%5BG%5Dskins%2Fxcillion%2Fhome&ContainerSrc=%5BG%5DContainers%2FXcillion%2FNoTitle
- github.com/advisories/GHSA-wq2j-w9pm-7x2p
- github.com/dnnsoftware/Dnn.Platform
- github.com/dnnsoftware/Dnn.Platform/commit/72f30f69fd2214d77f6c2577dfcca495a24caf5c
- github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-wq2j-w9pm-7x2p
- nvd.nist.gov/vuln/detail/CVE-2025-59535
Code Behaviors & Features
Detect and mitigate CVE-2025-59535 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →