CVE-2026-40306
published 2026-04-17CVE-2026-40306: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have…
PriorityP336medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.18%
7.2th percentile
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 patches the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dnn.platform | — | — |
| dnnsoftware | dotnetnuke | >= 10.0.0 < 10.2.2 | 10.2.2 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
dnnsoftware Dnn.Platform up to 10.2.1 random values
vuldb·2026-04-17·CVSS 6.9
CVE-2026-40306 [MEDIUM] dnnsoftware Dnn.Platform up to 10.2.1 random values
A vulnerability described as problematic has been identified in dnnsoftware Dnn.Platform up to 10.2.1. This affects an unknown part. Such manipulation leads to insufficiently random values.
This vulnerability is listed as CVE-2026-40306. The attack may be performed from remote. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
DNN: Same HostGUID for all new installs
ghsa·2026-04-10
CVE-2026-40306 [LOW] CWE-330 DNN: Same HostGUID for all new installs
DNN: Same HostGUID for all new installs
All new installations DNN 10.x.x - 10.2.1 installs, have the same Host GUID. This does not affect upgrades from 9.x.x.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-17
Published