HIGH🇬🇧 English

CVE-2026-40869

CVSS 7.5v3.1pub. 2026-04-21upd. 2026-04-23

Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, disable amendment reactions for the amendable component (e.g. proposals).

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • Decidim

    APP
    Decidim
    0.19.0 – 0.30.5 (bez)0.31.0 – 0.31.1 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-23891CRITICAL9.3PL ✓ten sam produkt

Stored XSS w polu nazwy użytkownika Decidim umożliwia zdalne wykonanie kodu

CVE-2023-36465CRITICAL9.1ten sam produkt

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelo...

CVE-2025-65017HIGH8.2ten sam produkt

Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 t...

CVE-2024-45594HIGH7.7ten sam produkt

Decidim is a participatory democracy framework. The meeting embeds feature used in the online or hybrid meetin...

CVE-2023-34090HIGH7.5ten sam produkt

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelo...