CVE-2025-52486: 
C# vulnerability analysis and mitigation

CVE-2025-52486 affects DNN (formerly DotNetNuke), an open-source web content management platform in the Microsoft ecosystem. The vulnerability was discovered in versions 6.0.0 to before 10.0.1, where DNN.PLATFORM allows specially crafted content in URLs to be used with TokenReplace that is not properly sanitized by some SkinObjects. The issue was disclosed on June 20, 2025, and has been patched in version 10.0.1 (GitHub Advisory).

The vulnerability is classified as a Cross-site Scripting (XSS) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). According to the CVSS v4.0 scoring, it received a score of 6.1 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N. The vulnerability specifically relates to the TokenReplace functionality and its interaction with SkinObjects, where URL content is not properly sanitized (NVD).

The vulnerability primarily affects the security of subsequent systems with high confidentiality impact, while maintaining no direct impact on the vulnerable system's confidentiality, integrity, or availability. This suggests that successful exploitation could lead to information disclosure in connected systems (GitHub Advisory).

The vulnerability has been patched in DNN.PLATFORM version 10.0.1. Users are advised to upgrade to this version or later to address the security issue (NVD).