CVE-2025-64095
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-28

Last updated on: 2025-11-03

Assigner: GitHub, Inc.

Description
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 10.1.1, the default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. An unauthenticated user can upload and replace existing files allowing defacing a website and combined with other issue, injection XSS payloads. This vulnerability is fixed in 10.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-28
Last Modified
2025-11-03
Generated
2026-06-16
AI Q&A
2025-10-28
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64095
EUVD
EUVD-2025-36564
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dnnsoftware dotnetnuke to 10.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in DNN (formerly DotNetNuke) prior to version 10.1.1, where the default HTML editor provider allows unauthenticated users to upload files and overwrite existing images. This means an attacker without logging in can upload files that replace existing ones, potentially defacing the website. Additionally, this can be combined with other issues to inject cross-site scripting (XSS) payloads.

Impact Analysis

The vulnerability can lead to website defacement by allowing attackers to replace existing files with malicious ones. It also enables injection of XSS payloads, which can compromise the integrity and security of the website, potentially leading to data theft, user session hijacking, or further exploitation of the system.

Mitigation Strategies

Upgrade DNN (DotNetNuke) to version 10.1.1 or later, as this version fixes the vulnerability related to unauthenticated file uploads and file overwriting in the default HTML editor provider.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64095. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart