CVE-2026-24836
Published: 28 January 2026
Summary
CVE-2026-24836 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Dnnsoftware Dotnetnuke. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-24836 is a cross-site scripting (XSS) vulnerability (CWE-79) in DNN (formerly DotNetNuke), an open-source web content management platform (CMS) in the Microsoft ecosystem. The issue affects versions starting from 9.0.0 and prior to 9.13.10 and 10.2.0, where extensions could write rich text, including scripts, into log notes. These scripts would execute when the notes are displayed in the PersonaBar administrative interface. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).
Exploitation requires network access, high privileges (PR:H), high attack complexity (AC:H), and user interaction (UI:R). A high-privileged user, such as an administrator with access to extensions that write to log notes, can inject malicious scripts into the rich text. When another user with sufficient privileges views the PersonaBar and the affected log notes, the scripts execute in that user's browser context, potentially leading to high confidentiality, integrity, and availability impacts with a changed scope (S:C), such as session hijacking, data theft, or further system compromise.
The GitHub security advisory at https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2g5g-hcgh-q3rp details the issue and confirms that DNN versions 9.13.10 and 10.2.0 include fixes. Security practitioners should upgrade affected DNN installations to these patched versions to mitigate the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4863
Vulnerability details
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run…
more
in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in the privileged PersonaBar admin interface directly enables arbitrary JavaScript execution in other admins' browsers, facilitating browser session hijacking (T1185), theft of web session cookies (T1539), and use of those cookies as alternate authentication material (T1550.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the XSS vulnerability by requiring timely remediation of the flaw through upgrading DNN to patched versions 9.13.10 or 10.2.0.
Prevents script execution in the PersonaBar by filtering rich text outputs from log notes prior to rendering in the browser.
Blocks injection of malicious scripts into log notes by validating rich text inputs written by extensions.