DotNetNuke CMS vulnerability allows server compromise via malicious SVG uploads

As reported by Tech Radar, a cross-site scripting (XSS) vulnerability in the DotNetNuke CMS allows cybercriminals to chain exploits and gain control of web servers.

The flaw, CVE-2026-40321, affects the popular open-source platform built on Microsoft technology. Attackers can upload a malicious SVG file containing JavaScript code as an image, according to Pentest Tools. When a privileged user clicks on this file, the embedded payload executes, triggering XSS and writing a backdoor file directly onto the server. This allows attackers to act using the victim's authenticated session and exploit an authenticated endpoint to write a new web shell.

This vulnerability bypasses traditional security defenses like antivirus and firewalls, as the attack uses legitimate file types and standard HTTP traffic. While a patch exists, administrators should also review user registration policies and disable anonymous file uploads if not necessary. The attack requires a registered account, SVG upload capability, and a privileged user clicking a malicious attachment.

Source: Tech Radar