A critical cross-site scripting vulnerability in the DotNetNuke content management system allows attackers to gain full server control by tricking administrators into clicking malicious SVG image files.

Key Points

• The vulnerability, tracked as CVE-2026-40321, affects the DotNetNuke open-source platform used by over 750,000 websites globally.
• Attackers upload SVG files containing JavaScript payloads that execute within an authenticated user's browser session upon being clicked.
• Exploitation allows attackers to access the /API/personaBar/ConfigConsole/UpdateConfigFile endpoint to write an ASPX web shell directly to the server.
• Successful execution grants attackers the ability to steal data, disable security tools, or run malware on the underlying Windows server.
• Administrators are urged to apply the official patch and disable unnecessary user file upload permissions to mitigate the risk.

Why it Matters

This flaw is particularly dangerous because it bypasses traditional security defenses like firewalls and antivirus software by utilizing legitimate HTTP traffic and native browser features. Organizations must prioritize patching and restrict upload privileges to prevent attackers from gaining unauthorized administrative control over their web infrastructure.