CVE-2025-59539: DNN affected by Stored Cross-Site Scripting (XSS) in Profile Biography field

September 22, 2025 (updated September 23, 2025)

Users can use special syntax to inject javascript code in their profile biography field. Although there was sanitization in place, it did not cover all possible scenarios

References

github.com/advisories/GHSA-7rcc-q6rq-jpcm
github.com/dnnsoftware/Dnn.Platform
github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-7rcc-q6rq-jpcm
nvd.nist.gov/vuln/detail/CVE-2025-59539

Code Behaviors & Features

Detect and mitigate CVE-2025-59539 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →