- Malicious SVG payloads in DotNetNuke execute JavaScript when clicked
- Attack requires just one admin click to trigger a full server compromise
- XSS flaw allows attackers to act using the victim’s authenticated session
Cybercriminals can now chain exploits and gain control of web servers by exploiting a critical cross-site scripting (XSS) vulnerability in the DotNetNuke CMS.
The flaw, identified as CVE-2026-40321, affects the popular open source platform built with Microsoft technology and operates on more than 750,000 websites worldwide.
According to Pentest Tools, a malicious SVG file containing JavaScript code can be uploaded as an image and clicking on this file executes the embedded payload and writes a backdoor file directly to the server.
Article continues below.
How attackers bypass CMS filters to upload malicious files
By default, DotNetNuke allows users to register accounts and upload SVG files to their own user directories.
Even if these SVG files contain JavaScript inside an anchor tag, the platform’s content filter does not prevent loading, and if a victim clicks on an SVG file containing simple payloads, it is enough to trigger XSS.
Since the “Click me” button now generally looks suspicious, some attackers embed a fake login page image in the SVG.
Once a victim clicks on the booby-trapped image, the JavaScript payload is executed in the browser using the existing authenticated session.
The attackers then exploit /API/personaBar/ConfigConsole/UpdateConfigFile, an authenticated endpoint that allows users with sufficient privileges to write files to the server.
The payload generates a new ASPX web shell, essentially a backdoor that accepts commands via URL parameters.
With this, the attacker executes malware, steals data, or disables security tools on the underlying Windows server.
Why is vulnerability dangerous?
This vulnerability is dangerous because the attack chain completely overrides normal security defenses.
All the attacker needs is to convince a single privileged user to click on a malicious image, which can compromise the entire system – no password required or exploiting server software.
Regular antivirus software will be of little or no help in this case because it may not detect the attack.
The malicious payload is delivered via a legitimate SVG file and executed with native browser functions, thus rendering the tool irrelevant.
A configured firewall would also not block the outgoing connection because the attack uses standard HTTP traffic.
Malware removal tools are ineffective against a backdoor that was never installed by traditional means, but was instead written to disk via an authenticated request.
The vulnerability is serious, but fortunately the attack only works when several conditions align perfectly.
The attacker needs a registered account on the target site, the ability to upload SVG files, and a privileged user to click on a suspicious attachment.
Therefore, administrators should be vigilant, check file extensions and disable unnecessary user uploads to protect themselves.
Although there is an official patch for the vulnerability, which organizations running DotNetNuke should prioritize, administrators should also review user registration policies.
If uploading anonymous files is not necessary, they should be disabled immediately.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
