CVE-2026-24833
Published: 28 January 2026
Summary
CVE-2026-24833 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Dnnsoftware Dotnetnuke. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS payload in module description executes arbitrary JavaScript in the Persona Bar admin interface, directly enabling browser session hijacking of other privileged users.
NVD Description
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user…
more
in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
Deeper analysisAI
CVE-2026-24833 is a cross-site scripting (XSS) vulnerability (CWE-79) affecting DNN Platform, an open-source web content management system (CMS) formerly known as DotNetNuke and part of the Microsoft ecosystem. In versions prior to 9.13.10 and 10.2.0, a module could be installed containing rich text in its description field that includes executable scripts. These scripts execute when viewed by users in the Persona Bar administrative interface.
Exploitation requires network access, high privileges (PR:H), high attack complexity (AC:H), and user interaction (UI:R), as indicated by the CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H). A privileged user, such as an administrator capable of installing modules, could deploy a malicious module with XSS payload in its description. Subsequent users accessing the Persona Bar would trigger script execution, potentially leading to high-impact confidentiality, integrity, and availability compromises with changed scope.
The GitHub security advisory (GHSA-9r3h-mpf8-25gj) confirms that DNN versions 9.13.10 and 10.2.0 address the issue through a targeted fix. Security practitioners should upgrade affected installations immediately to mitigate the risk.
Details
- CWE(s)