CVE-2026-23891

HIGH

Decidim has a Cross-site scripting (XSS) vulnerability via user name field

Title source: cna

Description

Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.

References (3)

Scores

CVSS v3 8.7
EPSS 0.0005
EPSS Percentile 14.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Details

CWE
CWE-79
Status published
Products (3)
decidim/decidim < 0.30.5 (2 CPE variants)
decidim/decidim >= 0.31.0.rc1, < 0.31.1
rubygems/decidim-core 0.31.0.rc1 - 0.31.1RubyGems
Published Apr 13, 2026
Tracked Since Apr 13, 2026