Critical stored XSS vulnerability reported in DotNetNuke Platform
Take action: If you're running DNN Platform (DotNetNuke), plan a VERY QUICK upgrade to version 10.1.0 or later to patch the stored XSS attack. This is very serios, so don't ignore it! Until you can upgrade, restrict access to the Prompt module and monitor admin activity logs for suspicious behavior.
Learn More
DNN Software has patched a critical stored cross-site scripting vulnerability affecting the widely-used DotNetNuke (DNN) Platform content management system.
The flaw is tracked as CVE-2025-59545 (CVSS score 9.1) and is caused by improper input handling within DNN's Prompt module, an interactive command-execution interface designed for administrative tasks. It allows authenticated attackers with minimal privileges to execute arbitrary scripts within the platform's trusted environment, leading to compromise of administrative sessions and sensitive data theft.
DNN Platform versions prior to 10.1.0 are vulnerable.
DNN Software has released version 10.1.0, which includes patches that ensure Prompt module command outputs are properly escaped and sanitized before rendering.
Organizations running affected DNN installations should immediately upgrade to version 10.1.0 or later. The update process involves updating the DotNetNuke.Core package through NuGet configuration management and redeploying updated binaries with proper server-side cache clearing procedures.
For organizations unable to immediately upgrade, interim mitigation measures include implementing access restrictions to the Prompt module interface and monitoring of administrative activity logs to detect suspicious command execution patterns. These measures should not be considered permanent solutions.
