CVE-2025-64094: 
C# vulnerability analysis and mitigation

DNN (formerly DotNetNuke), an open-source web content management platform in the Microsoft ecosystem, was found to have a vulnerability in versions prior to 10.1.1 where the sanitization of uploaded SVG files was incomplete, potentially allowing cross-site scripting (XSS) attacks. This vulnerability (CVE-2025-64094) was discovered as an incomplete fix for a previous vulnerability (CVE-2025-48378) and was disclosed on October 28, 2025 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. It is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The core issue lies in the DotNetNuke.Services.FileSystem.Internal.SecurityCheckers.SvgFileChecker.Validate method, where the validation checks for script elements within SVG files were not comprehensive enough to prevent all possible XSS scenarios (Miggo, GitHub Advisory).

The vulnerability allows for the execution of arbitrary JavaScript code within the context of the user's browser, potentially leading to various attacks including data exfiltration, session hijacking, and web application defacement (GitHub Advisory).

The vulnerability has been fixed in DNN version 10.1.1. The fix implements a more robust validation system for SVG files, replacing the previous incomplete blacklist approach with a comprehensive allowlist of known-safe SVG elements and attributes (GitHub Advisory).