CVE-2026-23891
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
Summary
Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| decidim | decidim | >= 0.31.0.rc1, < 0.31.1 | affected |
| decidim | decidim | < 0.30.5 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g
- https://github.com/decidim/decidim/releases/tag/v0.30.5
- https://github.com/decidim/decidim/releases/tag/v0.31.1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.