'Chaining vulnerabilities is the hallmark of a sophisticated attack': 750,000 websites must be patched as Microsoft's popular open source Dotnetnuke CMS hit by an XSS flaw that allows attackers to hijack admin sessions and take over entire web servers

Hidden XSS flaw in DotNetNuke turns trusted uploads into attack vectors

29 Apr 2026, 21:35 by https://www.techradar.com/uk/author/efosa-udinmwen · TechRadar

News By Efosa Udinmwen published 29 April 2026

(Image credit: Getty Images)

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter

Malicious SVG uploads in DotNetNuke execute JavaScript when clicked
Attack requires only one admin click to trigger full server compromise
XSS flaw allows attackers to act using the victim’s authenticated session

Cybercriminals can now chain exploits together and gain control of web servers by exploiting a critical cross-site scripting (XSS) vulnerability in the DotNetNuke CMS.

The flaw, tracked as CVE-2026-40321, affects the popular open-source platform built on Microsoft technology and powers over 750,000 websites globally.

According to Pentest Tools, a malicious SVG file containing JavaScript code can be uploaded as an image, and clicking on this file executes the embedded payload and writes a backdoor file directly onto the server.

Article continues below

How attackers bypass the CMS filters to upload malicious files

By default, DotNetNuke allows users to register accounts and upload SVG files to their own user directories.

Even if these SVG files contain JavaScript inside an anchor tag, the platform’s content filter does not prevent the upload, and if a victim clicks on an SVG file that contains simple payloads, it is enough to trigger XSS.

Since the "Click me" button now generally looks suspicious, some attackers embed a fake login page image into the SVG.

Once a victim clicks the booby-trapped image, the JavaScript payload executes in the browser using the existing authenticated session.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors