CVE-2026-24838
Published: 28 January 2026
Summary
CVE-2026-24838 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Dnnsoftware Dotnetnuke. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents XSS (CWE-79) by validating and sanitizing rich text module title inputs to block executable scripts.
Prevents script execution by filtering and encoding rich text output from module titles during rendering.
Mitigates the specific flaw by requiring timely patching to DNN versions 9.13.10 or 10.2.0 that fix script execution in module titles.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS enables arbitrary JavaScript execution (T1059.007) in victim browsers viewing module pages; this directly facilitates browser session hijacking (T1185) for credential/session theft or further actions, even though initial injection requires admin privileges.
NVD Description
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain…
more
a fix for the issue.
Deeper analysisAI
CVE-2026-24838 is a cross-site scripting (XSS) vulnerability (CWE-79) in DNN Platform, an open-source web content management system (CMS) formerly known as DotNetNuke and part of the Microsoft ecosystem. The issue affects versions prior to 9.13.10 and 10.2.0, where module titles support rich text that can include scripts executable in certain scenarios. It has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and potential for high impact across confidentiality, integrity, and availability with a changed scope.
Exploitation requires high privileges (PR:H), meaning attackers need an authenticated account with elevated permissions, such as administrative access, to inject malicious scripts via module titles. Successful exploitation enables remote code execution in the context of the application, potentially allowing full compromise of the CMS instance, including data theft, modification, or denial of service, with effects propagating across security scopes due to the changed scope (S:C) and no user interaction required (UI:N).
The official GitHub security advisory (GHSA-w9pf-h6m6-v89h) from the DNN Platform repository confirms that versions 9.13.10 and 10.2.0 address the vulnerability with a targeted fix to prevent script execution in module titles. Security practitioners should upgrade affected installations immediately and review access controls for high-privilege users to mitigate risks until patching is complete.
Details
- CWE(s)