CVE-2025-59539: 
C# vulnerability analysis and mitigation

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. The vulnerability (CVE-2025-59539) was discovered and disclosed on September 23, 2025, affecting all versions prior to 10.1.0. The vulnerability allows users to inject JavaScript code through the Biography field that would execute in the context of the website, even when the field is not rich-text enabled (GitHub Advisory).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 Base Score of 5.4 (Medium) according to NVD, while GitHub rates it at 6.3 (Medium). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating it requires network access, has low attack complexity, requires low privileges, and needs user interaction. The vulnerability is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows malicious users to inject JavaScript code that executes in the context of the website for any user viewing the profile, including administrators and superusers. This could potentially lead to unauthorized access to sensitive information and compromise of administrative accounts (GitHub Advisory).

The vulnerability has been patched in DNN Platform version 10.1.0. Users are advised to upgrade to this version or later to protect against this security issue (GitHub Advisory).