Main Vulnerability Database Vulnerabilities #VU125826

#VU125826 Improper Neutralization of Alternate XSS Syntax in DotNetNuke

Published: April 11, 2026

Vulnerability identifier: #VU125826

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-87

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
DotNetNuke

Software vendor:
DNN

Description

The vulnerability allows a remote user to execute arbitrary script in the context of affected users.

The vulnerability exists due to improper neutralization of alternate XSS syntax in the SVG upload handling functionality when processing a specially crafted SVG file upload. A remote user can upload a specially crafted SVG file to execute arbitrary script in the context of affected users.

User interaction is required to render the uploaded SVG content, and the impact is greater if the script executes in a power user's session.

Remediation

Install security update from vendor's website.

External links

https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-ffq7-898w-9jc4

#VU125826 Improper Neutralization of Alternate XSS Syntax in DotNetNuke

Description

Remediation

External links

Please verify you're human