CVE-2026-24836
Published: 28 January 2026
Summary
CVE-2026-24836 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Dnnsoftware Dotnetnuke. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in the privileged PersonaBar admin interface directly enables arbitrary JavaScript execution in other admins' browsers, facilitating browser session hijacking (T1185), theft of web session cookies (T1539), and use of those cookies as alternate authentication material (T1550.004).
NVD Description
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run…
more
in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
Deeper analysisAI
CVE-2026-24836 is a cross-site scripting (XSS) vulnerability (CWE-79) in DNN (formerly DotNetNuke), an open-source web content management platform (CMS) in the Microsoft ecosystem. The issue affects versions starting from 9.0.0 and prior to 9.13.10 and 10.2.0, where extensions could write rich text, including scripts, into log notes. These scripts would execute when the notes are displayed in the PersonaBar administrative interface. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).
Exploitation requires network access, high privileges (PR:H), high attack complexity (AC:H), and user interaction (UI:R). A high-privileged user, such as an administrator with access to extensions that write to log notes, can inject malicious scripts into the rich text. When another user with sufficient privileges views the PersonaBar and the affected log notes, the scripts execute in that user's browser context, potentially leading to high confidentiality, integrity, and availability impacts with a changed scope (S:C), such as session hijacking, data theft, or further system compromise.
The GitHub security advisory at https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2g5g-hcgh-q3rp details the issue and confirms that DNN versions 9.13.10 and 10.2.0 include fixes. Security practitioners should upgrade affected DNN installations to these patched versions to mitigate the vulnerability.
Details
- CWE(s)