CVE-2026-40321
Published: 17 April 2026
Summary
CVE-2026-40321 is a high-severity Improper Neutralization of Alternate XSS Syntax (CWE-87) vulnerability in Dnnsoftware Dotnetnuke. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of uploaded files to detect and block specially crafted SVGs containing executable scripts, directly preventing the XSS vulnerability.
Mandates filtering of information outputs when rendering uploaded SVG files to neutralize embedded scripts and prevent XSS execution against users.
Ensures timely flaw remediation by applying the DNN 10.2.2 patch that fixes the SVG upload script injection issue.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS vulnerability in public-facing DNN CMS directly enables exploitation of public-facing web applications (T1190) and facilitates JavaScript execution via malicious SVG upload (T1059.007).
NVD Description
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN…
more
users. The impact is increased if the scripts are run by a power user. Version 10.2.2 patches the issue.
Deeper analysisAI
CVE-2026-40321 is a cross-site scripting (XSS) vulnerability, classified under CWE-87, affecting DNN (formerly DotNetNuke), an open-source web content management system (CMS) in the Microsoft ecosystem. In versions prior to 10.2.2, the platform allows a user to upload a specially crafted SVG file containing scripts. These scripts can target both authenticated and unauthenticated DNN users, with greater impact if executed by a power user. The vulnerability has a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).
An attacker with low privileges (PR:L) can exploit this issue over the network (AV:N) by uploading the malicious SVG file, though it requires high attack complexity (AC:H) and user interaction (UI:R), such as a victim viewing or interacting with the file. Successful exploitation changes the scope (S:C) and grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary script execution in the context of targeted users, including stealing session data, defacing content, or performing other malicious actions.
The DNN Platform version 10.2.2 fully patches this vulnerability, as detailed in the official release notes and security advisory. Security practitioners should upgrade to at least version 10.2.2 and review upload handling for SVG and similar file types, validating inputs to prevent script injection. Relevant resources include the GitHub release page at https://github.com/dnnsoftware/Dnn.Platform/releases/tag/v10.2.2 and the security advisory at https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-ffq7-898w-9jc4.
Details
- CWE(s)