- Malicious SVG uploads in DotNetNuke execute JavaScript when clicked
- Attacks require only one admin click to trigger full server compromise
- XSS flaws allow attackers to act using the victim’s authenticated session
Cybercriminals can now chain together exploits and gain control of web servers by exploiting a critical cross-site scripting (XSS) vulnerability in the DotNetNuke CMS.
The flaw, tracked as CVE-2026-40321, affects the popular open source platform built on Microsoft technology and powers over 750,000 websites globally.
According to Pentest Tools, a malicious SVG file containing JavaScript code can be uploaded as an image, and a click on this file executes the embedded payload and writes a backdoor file directly to the server.
The article continues below
How attackers bypass the CMS filters to upload malicious files
By default, DotNetNuke allows users to register accounts and upload SVG files to their own user folders.
Although these SVG files contain JavaScript inside an anchor tag, the platform’s content filter does not prevent the upload, and if a victim clicks on an SVG file that contains simple payloads, it is enough to trigger XSS.
Since the “Click Me” button now generally looks suspicious, some attackers embed a fake login page image in SVG.
When a victim clicks on the captured image, the JavaScript payload is executed in the browser using the existing authenticated session.
The attackers then exploit /API/personaBar/ConfigConsole/UpdateConfigFile, an authenticated endpoint that allows users with sufficient privileges to write files to the server.
The payload generates a new ASPX web shell, essentially a backdoor that accepts commands via URL parameters.
With this, the attacker runs malware, steals data, or disables security tools on the underlying Windows server.
Why is the vulnerability dangerous?
This vulnerability is dangerous because the attack chain completely defeats common security defenses.
All the attacker needs is to convince a single privileged user to click on a malicious image, which can compromise the entire system – no password needed and no need to exploit server software.
Regular antivirus software will be of little or no help here because it may not detect the attack.
The malicious payload is delivered via a legitimate SVG file and executed with native browser capabilities, rendering the tool irrelevant.
A configured firewall will also not block the outgoing connection because the attack uses standard HTTP traffic.
Malware removal tools are ineffective against a backdoor that was never installed by traditional means, but was instead written to disk by an authenticated request.
The vulnerability is serious, but fortunately the attack only works when several conditions match perfectly.
The attacker needs a registered account on the target website, the ability to upload SVG files, and a privileged user who clicks on a suspicious attachment.
Administrators must therefore be vigilant, check file extensions and disable unnecessary user uploads to protect them.
While there is an official patch for the vulnerability, which organizations running DotNetNuke should prioritize, administrators should also review user registration policies.
If anonymous file uploads are not needed, they should be disabled immediately.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
