{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40305", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T21:41:54.504Z", "datePublished": "2026-04-17T21:06:09.237Z", "dateUpdated": "2026-04-20T13:36:06.644Z"}, "containers": {"cna": {"title": "DNN has Force Friend Request Acceptance", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-fpj4-9qhx-5m6m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-fpj4-9qhx-5m6m"}, {"name": "https://github.com/dnnsoftware/Dnn.Platform/releases/tag/v10.2.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/dnnsoftware/Dnn.Platform/releases/tag/v10.2.2"}], "affected": [{"vendor": "dnnsoftware", "product": "Dnn.Platform", "versions": [{"version": ">= 6.0.0, < 10.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:06:09.237Z"}, "descriptions": [{"lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue."}], "source": {"advisory": "GHSA-fpj4-9qhx-5m6m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40305", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T13:22:45.395312Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:36:06.644Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40305", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T13:22:45.395312Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T13:32:43.464Z"}}], "cna": {"title": "DNN has Force Friend Request Acceptance", "source": {"advisory": "GHSA-fpj4-9qhx-5m6m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "dnnsoftware", "product": "Dnn.Platform", "versions": [{"status": "affected", "version": ">= 6.0.0, < 10.2.2"}]}], "references": [{"url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-fpj4-9qhx-5m6m", "name": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-fpj4-9qhx-5m6m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dnnsoftware/Dnn.Platform/releases/tag/v10.2.2", "name": "https://github.com/dnnsoftware/Dnn.Platform/releases/tag/v10.2.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:06:09.237Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40305", "state": "PUBLISHED", "dateUpdated": "2026-04-20T13:36:06.644Z", "dateReserved": "2026-04-10T21:41:54.504Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T21:06:09.237Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue."}], "id": "CVE-2026-40305", "lastModified": "2026-04-20T19:03:07.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T22:16:32.370", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/dnnsoftware/Dnn.Platform/releases/tag/v10.2.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-fpj4-9qhx-5m6m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,10.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Dnn.Platform", "source": "cna", "vendor": "dnnsoftware"}, "product": "dnn_platform", "vendor": "dnnsoftware"}], "analysis": {"en": {"generated_at": "2026-04-18T17:05:25.697392+00:00", "value": {"mitigation_remediation": ["Update Dnn.Platform to version 10.2.2 or later to apply the vendor patch that closes the authorization bypass.", "If an upgrade is not immediately possible, temporarily disable the friends feature or block access to the friend request endpoint to prevent unauthorized friend acceptance.", "Review and tighten access controls for the friend request functionality to ensure that only the request initiator can accept or force acceptance of requests."], "summary": {"action": "Apply Patch", "impact": "Authorization Bypass"}, "threat_synthesis": {"affected_systems": "The flaw exists in the friends feature of DNN (formerly DotNetNuke) from version 6.0.0 up to, but not including, version 10.2.2 of Dnn.Platform. Versions prior to 10.2.2 are vulnerable; version 10.2.2 includes the fix.", "description_and_impact": "The vulnerability allows a user to force the acceptance of a friend request on another account by crafting a request. This bypasses normal authorization controls, enabling an attacker to establish a friendship relationship without the target account\u2019s consent. The weakness is classified as improper authorization (CWE\u2011285).", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate impact. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting a low to moderate likelihood of exploitation. Attackers would need knowledge of the target user\u2019s account context and the ability to send a forged request; the attack vector is likely web-based, accessed through the application\u2019s friends feature, based on the description. With the flaw, an attacker can force the acceptance of a friend request on another account, enabling an unauthorized friendship relationship."}}}}, "created": "2026-04-17T22:30:29.500661+00:00", "updated": "2026-04-18T17:15:05.778673+00:00", "vendors": ["dnnsoftware", "dnnsoftware$PRODUCT$dnn_platform"]}