CVE-2026-24836 HIGH

CVE-2026-24836: DotNetNuke.Core Vulnerable to Stored XSS in Scheduler LogNotes

Vendor Dnnsoftware

Product Dnn.Platform

Weakness CWE-79 · XSS

Published January 27, 2026

Last update January 28, 2026

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issue.

Key dates

02Disclosure timeline

January 27, 2026 CVE published

January 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-24836 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2026-24836

CWE CWE-79

CVSS 7.7 / HIGH

Affected versions

Vendor Dnnsoftware

Product Dnn.Platform

Affected >= 9.0.0, < 9.13.10

Vendor Dnnsoftware

Product Dnn.Platform

Affected >= 10.0.0, < 10.2.0

CVE-2026-24836: DotNetNuke.Core Vulnerable to Stored XSS in Scheduler LogNotes

01Description

02Disclosure timeline

03References

04Related CVE