https://feed.craftedsignal.io/tags/svg/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 18 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-dnn-svg-upload/Sat, 18 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dnn-svg-upload/DNN (formerly DotNetNuke) before 10.2.2 is vulnerable to stored cross-site scripting (XSS) via malicious SVG file uploads, potentially leading to account takeover and arbitrary code execution.DNN (formerly DotNetNuke) is an open-source web content management system (CMS) built on the .NET framework. Prior to version 10.2.2, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of SVG files. Attackers can exploit CVE-2026-40321 by uploading a crafted SVG file containing malicious JavaScript. This script can then be executed in the context of other users, including administrators, upon accessing the uploaded SVG. Successful exploitation could lead to session hijacking, account takeover, and potentially arbitrary code execution on the server. Version 10.2.2 addresses this vulnerability by implementing proper sanitization of SVG uploads. The vulnerability affects both authenticated and unauthenticated users, increasing the attack surface.

Attack Chain

1. An attacker identifies a DNN instance running a version prior to 10.2.2.
2. The attacker crafts a malicious SVG file containing embedded JavaScript code designed to perform actions such as stealing cookies or redirecting users.
3. The attacker uploads the malicious SVG file to the DNN instance, potentially through a media library or profile picture upload feature.
4. A user (either authenticated or unauthenticated) views the page or element where the malicious SVG is displayed.
5. The user’s browser executes the embedded JavaScript code within the SVG file.
6. The malicious script steals the user’s session cookie or redirects them to a phishing page.
7. If the compromised user has administrative privileges, the attacker uses the stolen cookie to access the DNN administration panel.
8. The attacker leverages their administrative access to inject malicious code into the DNN website or install a backdoor for persistent access.

Impact

Successful exploitation of this vulnerability (CVE-2026-40321) can lead to a range of negative consequences. Attackers can hijack user sessions, potentially gaining unauthorized access to sensitive data and administrative functions. An attacker can deface the website, inject malware, or steal sensitive information. Because DNN is often used in enterprise environments, this could lead to significant data breaches and reputational damage. The number of affected installations is potentially high, given the widespread use of DNN.

Recommendation

• Upgrade DNN installations to version 10.2.2 or later to patch CVE-2026-40321, as recommended by the vendor.
• Implement the “Detect Suspicious SVG Uploads” Sigma rule to identify attempts to upload SVG files containing potentially malicious script content.
• Monitor web server logs for HTTP requests with the “.svg” extension and inspect the request body for suspicious JavaScript patterns to proactively detect malicious SVG uploads using the “Web Server Suspicious SVG Upload” Sigma rule.
• Implement strict input validation and sanitization measures for all file uploads, especially SVG files, to prevent the injection of malicious code.

]]>highadvisorydnndotnetnukesvgxsscve-2026-40321uploadhttps://feed.craftedsignal.io/briefs/2026-04-dotnetnuke-xss/Sat, 11 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dotnetnuke-xss/DotNetNuke.Core is vulnerable to stored cross-site scripting (XSS) where a user can upload a specially crafted SVG file containing malicious scripts, potentially targeting both authenticated and unauthenticated DNN users, with successful exploitation requiring user interaction and leading to high impact on confidentiality, integrity, and availability.DotNetNuke.Core versions prior to 10.2.2 are vulnerable to stored cross-site scripting (XSS). An attacker can exploit this vulnerability by uploading a malicious SVG file to the DotNetNuke server. This file contains embedded JavaScript that executes when the SVG is processed and displayed by the application. Successful exploitation requires a user to interact with the uploaded SVG file, which then triggers the malicious script execution. This poses a significant risk as the injected scripts can target both authenticated and unauthenticated users, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the victim. This vulnerability was published on April 10, 2026, and patched in version 10.2.2.

Attack Chain

1. An attacker crafts a malicious SVG file containing embedded JavaScript code designed for XSS exploitation.
2. The attacker, with low privileges, uploads the malicious SVG file to the DotNetNuke server through a file upload functionality.
3. The server stores the SVG file, making it accessible to other users.
4. A user (either authenticated or unauthenticated) navigates to the location where the SVG file is stored or displayed.
5. The user’s browser processes the SVG file, triggering the execution of the embedded JavaScript.
6. The malicious script executes within the user’s browser session, gaining access to cookies, session tokens, and other sensitive information.
7. The attacker steals user’s cookies and session tokens.
8. The attacker uses stolen session tokens to hijack the user’s session, perform unauthorized actions, and potentially escalate privileges.

Impact

Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a user’s session. This can lead to sensitive information disclosure, such as stealing user credentials or session cookies. An attacker can then hijack user sessions, perform unauthorized actions on their behalf, and potentially gain elevated privileges within the DotNetNuke application. Due to the nature of stored XSS, the impact can be widespread, affecting any user who interacts with the malicious SVG file until the vulnerability is patched.

Recommendation

• Upgrade DotNetNuke.Core to version 10.2.2 or later to patch the XSS vulnerability (reference: Affected versions).
• Implement server-side validation to sanitize uploaded SVG files and prevent the injection of malicious scripts (reference: Description).
• Deploy the Sigma rule provided below to detect attempts to upload SVG files containing JavaScript code (reference: Sigma rule “Detect SVG Upload with Embedded JavaScript”).
• Configure web application firewalls (WAFs) to inspect and block suspicious SVG uploads based on content analysis (reference: Description).
• Enable logging for file uploads to track potential malicious activity (reference: logsource category “file_event”).

]]>highadvisorydotnetnukexsssvgweb-applicationhttps://feed.craftedsignal.io/briefs/2026-04-siyuan-xss/Wed, 01 Apr 2026 00:30:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-siyuan-xss/SiYuan Note versions prior to the fix for commit f09953afc57a are vulnerable to reflected cross-site scripting (XSS) via a namespace prefix bypass in the SanitizeSVG function when handling dynamic icons, allowing unauthenticated attackers to execute arbitrary JavaScript in a victim's browser.SiYuan Note, a note-taking application, is susceptible to a reflected XSS vulnerability in its dynamic icon generation functionality. This flaw, present in versions prior to commit f09953afc57a, arises from an insufficient sanitization of SVG content, specifically failing to account for namespace prefixes in SVG elements. The vulnerability resides in the /api/icon/getDynamicIcon endpoint, which is accessible without authentication. An attacker can exploit this by crafting a malicious SVG payload containing namespaced <script> tags (e.g., <x:script xmlns:x="http://www.w3.org/2000/svg">), which bypasses the application’s XSS mitigation measures. Successful exploitation allows arbitrary JavaScript execution within the context of the victim’s SiYuan Note instance, potentially leading to data theft or other malicious activities.

Attack Chain

1. An attacker crafts a malicious URL targeting the /api/icon/getDynamicIcon endpoint with the type=8 parameter.
2. The crafted URL includes a content parameter containing a specially crafted SVG payload. This SVG payload leverages a namespace prefix to bypass the SanitizeSVG function’s intended filtering, e.g., %3C%2Fx%3Ascript%20xmlns%3Ax%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3Ealert%28document.domain%29%3C%2Fx%3Ascript%3E.
3. The victim, either unknowingly or through social engineering, opens the malicious URL in their browser.
4. The SiYuan server processes the request without proper sanitization, inserting the attacker-controlled content into the SVG, and serves the response with Content-Type: image/svg+xml.
5. The browser’s XML parser interprets the namespace prefix, resolving it to the SVG namespace, and executes the embedded JavaScript code.
6. The JavaScript code executes within the security context of the SiYuan application (http://<siyuan-host>:6806), due to Access-Control-Allow-Origin: *.
7. The attacker’s script can now interact with the SiYuan API using the victim’s session cookies.
8. The attacker can perform actions such as reading notes, exporting data, or modifying settings without authentication.

Impact

This vulnerability poses a significant risk to SiYuan Note users, particularly those whose instances are reachable on a local network. An attacker could potentially compromise sensitive information, manipulate user data, or gain unauthorized access to the application. The ease of exploitation and the absence of authentication requirements make this vulnerability particularly dangerous. Because SiYuan sets Access-Control-Allow-Origin: * and the script runs same-origin, it can call any API endpoint using the victim’s existing session cookies, including endpoints to read all notes, export data, or modify settings.

Recommendation

• Upgrade SiYuan Note to a version that includes the fix for commit f09953afc57a to remediate the vulnerability.
• Deploy the Sigma rule “Detect SiYuan SVG XSS Attempt” to identify potential exploitation attempts in web server logs.
• Monitor web server logs for requests to /api/icon/getDynamicIcon containing SVG payloads with namespace-prefixed script tags, as demonstrated in the PoC.
• Consider implementing a Content Security Policy (CSP) on the SiYuan server to restrict the execution of inline JavaScript.

]]>highadvisoryxsssiyuansvgreflected-xss