High severityOSV Advisory· Published Jan 27, 2026· Updated Jan 28, 2026
DotNetNuke.Core Vulnerable to Stored XSS in Scheduler LogNotes
CVE-2026-24836
Description
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DotNetNuke.CoreNuGet | >= 9.0.0, <= 9.13.9 | — |
DotNetNuke.CoreNuGet | >= 10.0.0, < 10.02.0 | 10.02.0 |
Affected products
1- Range: v10.0.0, v10.0.1, v10.1.0, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-2g5g-hcgh-q3rpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24836ghsaADVISORY
- github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2g5g-hcgh-q3rpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.