SB2026041145 - Multiple vulnerabilities in DotNetNuke

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-40305)

The vulnerability allows a remote user to force the acceptance of a friend request on another user.

The vulnerability exists due to improper access control in the friends feature when handling crafted requests. A remote user can send a specially crafted request to force the acceptance of a friend request on another user.

2) Generation of Predictable Numbers or Identifiers (CVE-ID: CVE-2026-40306)

The vulnerability allows a remote attacker to bypass host identity assumptions.

The vulnerability exists due to the use of a hardcoded or non-unique identifier in HostGUID generation in the HostGUID installation logic when creating a new installation. A remote attacker can rely on the predictable HostGUID value to bypass host identity assumptions.

Only new installations are affected; upgrades from 9.x.x are not affected.

3) Improper Neutralization of Alternate XSS Syntax (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary script in the context of affected users.

The vulnerability exists due to improper neutralization of alternate XSS syntax in the SVG upload handling functionality when processing a specially crafted SVG file upload. A remote user can upload a specially crafted SVG file to execute arbitrary script in the context of affected users.

User interaction is required to render the uploaded SVG content, and the impact is greater if the script executes in a power user's session.

Remediation

Install update from vendor's website.

References

• https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-fpj4-9qhx-5m6m
• https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2rhw-gw3f-477j
• https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-ffq7-898w-9jc4