CVE-2026-24836
BaseFortify
Publication date: 2026-01-28
Last updated on: 2026-02-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dnnsoftware | dotnetnuke | From 9.0.0 (inc) to 9.13.10 (exc) |
| dnnsoftware | dotnetnuke | From 10.0.0 (inc) to 10.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in DNN (DotNetNuke) versions starting from 9.0.0 up to versions before 9.13.10 and 10.2.0. It allows extensions to write rich text in log notes that can include scripts. These scripts would then run in the PersonaBar interface when the log notes are displayed, potentially enabling cross-site scripting (XSS) attacks. The issue was fixed in versions 9.13.10 and 10.2.0.
How can this vulnerability impact me? :
This vulnerability can lead to cross-site scripting attacks within the PersonaBar of the DNN platform. An attacker could execute malicious scripts when viewing log notes, potentially leading to unauthorized actions, data theft, or compromise of user sessions. The CVSS score indicates a high impact on confidentiality, integrity, and availability, meaning it can severely affect the security of the system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade DNN (DotNetNuke) to version 9.13.10 or later, or version 10.2.0 or later, as these versions contain the fix for the vulnerability.