Is Dotnet affected by CVE-2026-24837?

DNN CMS installations (versions 9.0.0-9.13.9 and 10.0.0-10.1.x) are vulnerable to stored cross-site scripting attacks through module friendly names, allowing authenticated attackers to execute malicious scripts within the admin interface.

CVE-2026-24837

HIGH

2026-01-28 [email protected]

GHSA-vm5q-8qww-h238

7.6

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 28, 2026 - 00:15 nvd

HIGH 7.6

Description

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue.

Analysis

Stored cross-site scripting in DNN versions 9.0.0 through 9.13.9 and 10.0.0 through 10.1.x allows high-privileged users with UI interaction to inject malicious scripts into module friendly names that execute within the Persona Bar administrative interface. An authenticated attacker with sufficient permissions could exploit this to perform administrative actions or compromise other users' sessions. …

Remediation

Within 24 hours: Inventory all DNN installations and identify those running vulnerable versions (9.0.0-9.13.9 or 10.0.0-10.1.x). Within 7 days: Restrict module creation/editing permissions to trusted administrators only and implement input validation rules for module names. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2026-24837 vulnerability details – vuln.today

Back

CVE-2026-24837

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-24837

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code