Main Vulnerability Database Vulnerabilities #VU125826

Improper Neutralization of Alternate XSS Syntax in DotNetNuke - #VU125826

Published: April 11, 2026

Vulnerability identifier: #VU125826

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-87

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: DNN

Affected software:
DotNetNuke

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in the context of affected users.

The vulnerability exists due to improper neutralization of alternate XSS syntax in the SVG upload handling functionality when processing a specially crafted SVG file upload. A remote user can upload a specially crafted SVG file to execute arbitrary script in the context of affected users.

User interaction is required to render the uploaded SVG content, and the impact is greater if the script executes in a power user's session.

Remediation

Install security update from vendor's website.

Sources

https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-ffq7-898w-9jc4

Improper Neutralization of Alternate XSS Syntax in DotNetNuke - #VU125826

Detailed vulnerability description

Remediation

Sources

Please verify you're human