CVE-2026-40321
published 2026-04-17CVE-2026-40321: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a…
PriorityP357high8CVSS 3.1
AVNACHPRLUIRSCCHIHAH
EPSS
7.60%
93.8th percentile
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.2 patches the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dnn.platform | < 10.2.2 | 10.2.2 |
| dnnsoftware | dotnetnuke | < 10.2.2 | 10.2.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
dnnsoftware Dnn.Platform up to 10.2.1 SVG File cross site scripting
vuldb·2026-04-17·CVSS 8.0
CVE-2026-40321 [HIGH] dnnsoftware Dnn.Platform up to 10.2.1 SVG File cross site scripting
A vulnerability classified as problematic has been found in dnnsoftware Dnn.Platform up to 10.2.1. This vulnerability affects unknown code of the component SVG File Handler. Performing a manipulation results in improper neutralization of alternate xss syntax.
This vulnerability is cataloged as CVE-2026-40321. It is possible to initiate the attack remotely. There is no exploit available.
It is recommended to upgrade the affected component.
GHSA
DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload
ghsa·2026-04-10
CVE-2026-40321 [HIGH] CWE-87 DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload
DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload
A user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-17
Published