Trust Issues in the Scheduler: Deep Dive into CVE-2026-24836
Vulnerability ID: CVE-2026-24836
CVSS Score: 7.7
Published: 2026-01-28
A Stored Cross-Site Scripting (XSS) vulnerability in the DNN Platform's Scheduler allows malicious tasks to embed scripts in execution logs. These logs are subsequently rendered unsanitized in the Administrative PersonaBar, leading to session hijacking or privilege escalation.
TL;DR
DNN Scheduler logs aren't just for reading errors anymore; they're for executing them. Malicious scheduled tasks can write JavaScript into the 'LogNotes' field. When an admin views the history in the PersonaBar UI, the script executes. CVSS 7.7. Fixed in 9.13.10 and 10.2.0.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- CVSS v3.1: 7.7 (High)
- Attack Vector: Network (Stored)
- Privileges Required: High (to schedule task)
- User Interaction: Required (Admin views logs)
- EPSS Score: 0.00038
Affected Systems
- DNN Platform 9.x (< 9.13.10)
- DNN Platform 10.x (< 10.2.0)
-
DNN Platform: >= 9.0.0, < 9.13.10 (Fixed in:
9.13.10) -
DNN Platform: >= 10.0.0, < 10.2.0 (Fixed in:
10.2.0)
Code Analysis
Commit: 53cdf47
Release commit for 9.13.10 containing the fix
Binary/Release update - Code changes usually in preceding PRs.
Exploit Details
- Internal Research: Theoretical PoC involving custom SchedulerClient implementation.
Mitigation Strategies
- Server-side Output Encoding
- React Prop Hardening
- Database Sanitization
Remediation Steps:
- Upgrade DNN Platform to version 9.13.10 or 10.2.0.
- Audit all currently installed third-party extensions for malicious scheduling code.
- Clear the ScheduleHistory table if compromise is suspected to remove latent payloads.
References
Read the full report for CVE-2026-24836 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)