Skip to main content

Microsoft CVE-2026-40321

HIGH
Improper Neutralization of Alternate XSS Syntax (CWE-87)
2026-04-17 GitHub_M GHSA-ffq7-898w-9jc4
8.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.0 HIGH
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Patch released
Apr 18, 2026 - 02:30 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
Apr 17, 2026 - 22:22 NVD
8.1 (HIGH) 8.0 (HIGH)
Analysis Generated
Apr 17, 2026 - 22:10 vuln.today
Analysis Generated
Apr 17, 2026 - 21:45 vuln.today
CVE Published
Apr 17, 2026 - 21:10 nvd
HIGH 8.0

DescriptionGitHub Advisory

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.2 patches the issue.

AnalysisAI

Stored cross-site scripting (XSS) via malicious SVG file upload in DNN Platform (DotNetNuke) versions before 10.2.2 allows low-privileged authenticated users to execute arbitrary JavaScript in the context of other users' browsers. Attackers can craft SVG files containing embedded scripts that execute when viewed by victims, with elevated impact if targeting administrative users. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis. CVSS 8.1 (High) reflects the scope change and high confidentiality/integrity impact despite requiring both authentication and user interaction.

Technical ContextAI

DNN Platform (formerly DotNetNuke) is an ASP.NET-based open-source content management system in the Microsoft ecosystem. The vulnerability stems from CWE-87 (Improper Neutralization of Alternate XSS Syntax), indicating insufficient sanitization of SVG file uploads. SVG files are XML-based and can contain script elements, style-based JavaScript, or event handlers that execute in the browser when rendered. The platform's file upload mechanism fails to strip or sandbox these executable elements before storage. Affected product identified as cpe:2.3:a:dnnsoftware:dnn.platform versions prior to 10.2.2. This is a stored XSS variant where the malicious payload persists on the server and executes whenever users access the uploaded SVG resource, as opposed to reflected XSS requiring per-victim delivery.

RemediationAI

Upgrade to DNN Platform version 10.2.2 or later, which patches the SVG file upload sanitization issue. Release available at https://github.com/dnnsoftware/Dnn.Platform/releases/tag/v10.2.2 with vendor advisory at https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-ffq7-898w-9jc4. If immediate patching is not feasible, implement compensating controls: disable SVG file uploads through file upload extension restrictions in DNN admin settings (impacts legitimate SVG usage for graphics); restrict file upload permissions to highly trusted users only (reduces attack surface but limits platform functionality); implement Content Security Policy headers with script-src directives to block inline script execution (may break legitimate DNN features relying on inline scripts). For high-risk environments, consider serving uploaded files from a separate domain with restrictive CSP to prevent credential access (requires infrastructure changes and URL rewriting). Each mitigation trades security against functionality-patching to 10.2.2 is the only complete solution without operational impact.

Share

CVE-2026-40321 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy