Primary

Context

DotNetNuke Persistent Cross-Site Scripting Vulnerability

Vulnerability

Patched

A persistent cross-site scripting vulnerability has been identified in DotNetNuke (DNN) version 9.5. This vulnerability allows normal users to upload malicious XML files containing executable scripts via journal tools. The uploaded XML files can include scripts in the XHTML namespace, which are executed as arbitrary JavaScript in the browsers of users. This exploitation could potentially bypass Cross-Site Request Forgery (CSRF) protections and facilitate more harmful attacks.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where uploaded scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, a normal user can upload an XML file through the journal tools in their profile. The XML file must include a script tag within the XHTML namespace. Once uploaded, the script will execute in the user's browser, demonstrating the cross-site scripting vulnerability.

Added: Feb 3, 2026, 7:10 PM

Updated: Feb 3, 2026, 7:10 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

1.7

exploitability

6.5

remediation

7.7

relevance

2.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

1.7

exploitability

6.5

remediation

7.7

relevance

2.5

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DotNetNuke Persistent Cross-Site Scripting Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

DotNetNuke

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating