CVE-2026-24833
Published: 28 January 2026
Summary
CVE-2026-24833 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Dnnsoftware Dotnetnuke. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-24833 is a cross-site scripting (XSS) vulnerability (CWE-79) affecting DNN Platform, an open-source web content management system (CMS) formerly known as DotNetNuke and part of the Microsoft ecosystem. In versions prior to 9.13.10 and 10.2.0, a module could be installed containing rich text in its description field that includes executable scripts. These scripts execute when viewed by users in the Persona Bar administrative interface.
Exploitation requires network access, high privileges (PR:H), high attack complexity (AC:H), and user interaction (UI:R), as indicated by the CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H). A privileged user, such as an administrator capable of installing modules, could deploy a malicious module with XSS payload in its description. Subsequent users accessing the Persona Bar would trigger script execution, potentially leading to high-impact confidentiality, integrity, and availability compromises with changed scope.
The GitHub security advisory (GHSA-9r3h-mpf8-25gj) confirms that DNN versions 9.13.10 and 10.2.0 address the issue through a targeted fix. Security practitioners should upgrade affected installations immediately to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4862
Vulnerability details
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user…
more
in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS payload in module description executes arbitrary JavaScript in the Persona Bar admin interface, directly enabling browser session hijacking of other privileged users.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely identification, reporting, and patching of vulnerabilities like this stored XSS in DNN module descriptions, directly addressing the issue via upgrades to versions 9.13.10 or 10.2.0.
Information input validation enforces sanitization of rich text inputs in module descriptions to block executable scripts from being stored.
Information output filtering encodes or escapes rich text content when rendered in the Persona Bar, preventing script execution for viewing users.