Description
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
Published: 2026-01-27
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to embed crafted scripts into a module title via the richtext field, causing those scripts to execute when the page is viewed. This stored XSS can lead to client‑side code execution, potentially harvesting session data, defacing content, or redirecting users. The weakness is a classic input validation flaw as classified by CWE‑79.

Affected Systems

The flaw affects the DNN Platform by dnnsoftware. Versions earlier than 9.13.10 in the 9.x branch and earlier than 10.2.0 in the 10.x branch are vulnerable. These releases are part of the open‑source DotNetNuke CMS.

Risk and Exploitability

The associated CVSS score of 9.1 indicates high severity, while the EPSS score of less than 1% suggests low likelihood of exploitation at the current time. The issue is not listed in CISA's KEV catalog, further indicating limited known exploitation. Likely attack surfaces involve users with permission to edit module titles; if such a user injects malicious code, any other user who visits the page will execute the payload. The vulnerability relies on storage and subsequent rendering of input, making it a persistent threat that can impact many users once deployed.

Generated by OpenCVE AI on April 18, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to DNN Platform version 9.13.10 or newer, or 10.2.0 or newer, as the fix is included in those releases.
  • Restrict or remove the richtext capability for the module title field, ensuring only plain text is accepted.
  • Apply a content‑sanitization rule that strips script tags from stored titles or otherwise neutralizes executable code, and verify that only trusted users can edit module titles.

Generated by OpenCVE AI on April 18, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w9pf-h6m6-v89h DotNetNuke.Core Vulnerable to Stored XSS via Module Title
History

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Dnnsoftware dotnetnuke
CPEs cpe:2.3:a:dnnsoftware:dotnetnuke:*:*:*:*:*:*:*:*
Vendors & Products Dnnsoftware dotnetnuke

Wed, 28 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Dnnsoftware
Dnnsoftware dnn Platform
Vendors & Products Dnnsoftware
Dnnsoftware dnn Platform

Wed, 28 Jan 2026 00:30:00 +0000

Type Values Removed Values Added
Description DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
Title DotNetNuke.Core Vulnerable to Stored XSS via Module Title
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Dnnsoftware Dnn Platform Dotnetnuke
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T15:03:27.676Z

Reserved: 2026-01-27T14:51:03.058Z

Link: CVE-2026-24838

cve-icon Vulnrichment

Updated: 2026-01-28T15:03:22.746Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T01:16:14.350

Modified: 2026-02-04T20:10:41.243

Link: CVE-2026-24838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:00:10Z

Weaknesses