GHSA-ffq7-898w-9jc4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ffq7-898w-9jc4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-ffq7-898w-9jc4/GHSA-ffq7-898w-9jc4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-ffq7-898w-9jc4
- Published
- 2026-04-10T20:42:48Z
- Modified
- 2026-04-10T20:48:47.643862Z
- Severity
-
- 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload
- Details
-
A user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user.
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-87" ], "severity": "HIGH", "nvd_published_at": null, "github_reviewed_at": "2026-04-10T20:42:48Z" }- References
Affected packages
NuGet / DotNetNuke.Core
Package
- Name
- DotNetNuke.Core
- View open source insights on deps.dev
- Purl
- pkg:nuget/DotNetNuke.Core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed10.2.2
Affected versions
6.*
6.0.0
7.*
7.0.0
7.0.6.121
7.1.0
7.1.2
7.2.0.613
7.3.0.499
7.3.1.20
7.4.0.353
7.4.1.280
7.4.2.216
8.*
8.0.0.809
8.0.1.239
8.0.2.4
8.0.3.5
8.0.4.226
9.*
9.0.0.1002
9.0.1.142
9.1.0.367
9.1.1.129
9.2.0.366
9.2.1.533
9.3.0
9.3.1
9.3.2
9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.5.0
9.6.1
9.6.2
9.7.0
9.7.1
9.7.2
9.8.0
9.9.0
9.9.1
9.10.0
9.10.1
9.10.2
9.11.0
9.11.1
9.11.2
9.12.0
9.13.0-ci0000
9.13.0
9.13.1
9.13.2
9.13.3
9.13.4
9.13.5-ci0062
9.13.5
9.13.6
9.13.7-ci0064
9.13.7
9.13.8
9.13.9
10.*
10.0.0
10.0.1
10.1.0
10.1.1
10.1.2
10.2.0
10.2.1