CVE-2026-40321: stored XSS in DNN (DotNetNuke) prior to v10.2.2 chains to full RCE.

pentesttools@infosec.exchange

Any authenticated user can upload a crafted SVG with embedded JavaScript. If a power user opens it, the payload calls DNN's own config endpoint to drop an ASPX backdoor in the server root.

One file. One click. Full RCE. CVSS 8.1, patched, fully documented.

Write-up + PoC payloads: https://pentest-tools.com/blog/dotnetnuke-xss-to-rce

More research from our team: https://pentest-tools.com/research

#offensivesecurity #penetrationtesting #infosec

CIRCLE WITH A DOT

CVE-2026-40321: stored XSS in DNN (DotNetNuke) prior to v10.2.2 chains to full RCE.