Cyber Resilience

CVE-2026-24833

High

Published: 28 January 2026

Published
28 January 2026
Modified
04 February 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0006 17.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24833 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Dnnsoftware Dotnetnuke. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-24833 is a cross-site scripting (XSS) vulnerability (CWE-79) affecting DNN Platform, an open-source web content management system (CMS) formerly known as DotNetNuke and part of the Microsoft ecosystem. In versions prior to 9.13.10 and 10.2.0, a module could be installed containing rich text in its description field that includes executable scripts. These scripts execute when viewed by users in the Persona Bar administrative interface.

Exploitation requires network access, high privileges (PR:H), high attack complexity (AC:H), and user interaction (UI:R), as indicated by the CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H). A privileged user, such as an administrator capable of installing modules, could deploy a malicious module with XSS payload in its description. Subsequent users accessing the Persona Bar would trigger script execution, potentially leading to high-impact confidentiality, integrity, and availability compromises with changed scope.

The GitHub security advisory (GHSA-9r3h-mpf8-25gj) confirms that DNN versions 9.13.10 and 10.2.0 address the issue through a targeted fix. Security practitioners should upgrade affected installations immediately to mitigate the risk.

EU & UK References

Vulnerability details

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user…

more

in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS payload in module description executes arbitrary JavaScript in the Persona Bar admin interface, directly enabling browser session hijacking of other privileged users.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24838Same product: Dnnsoftware Dotnetnuke
CVE-2026-24837Same product: Dnnsoftware Dotnetnuke
CVE-2026-24836Same product: Dnnsoftware Dotnetnuke
CVE-2026-40321Same product: Dnnsoftware Dotnetnuke
CVE-2025-64095Same product: Dnnsoftware Dotnetnuke
CVE-2025-25203Shared CWE-79
CVE-2025-67959Shared CWE-79
CVE-2025-68835Shared CWE-79
CVE-2026-32118Shared CWE-79
CVE-2025-24617Shared CWE-79

Affected Assets

dnnsoftware
dotnetnuke
≤ 9.13.10 · 10.0.0 — 10.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely identification, reporting, and patching of vulnerabilities like this stored XSS in DNN module descriptions, directly addressing the issue via upgrades to versions 9.13.10 or 10.2.0.

prevent

Information input validation enforces sanitization of rich text inputs in module descriptions to block executable scripts from being stored.

prevent

Information output filtering encodes or escapes rich text content when rendered in the Persona Bar, preventing script execution for viewing users.

References