CRITICAL🇵🇱 Wersja polska

CVE-2026-23891

CVSS 9.3v4.0pub. 2026-04-13upd. 2026-04-22

Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Decidim

    APP
    Decidim
    < 0.30.50.31.0 – 0.31.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEXSS
CWE
References

Related vulnerabilities

CVE-2023-36465CRITICAL9.1ten sam produkt

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelo...

CVE-2026-40869HIGH7.5ten sam produkt

Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0....

CVE-2025-65017HIGH8.2ten sam produkt

Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 t...

CVE-2024-45594HIGH7.7ten sam produkt

Decidim is a participatory democracy framework. The meeting embeds feature used in the online or hybrid meetin...

CVE-2023-34090HIGH7.5ten sam produkt

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelo...