CVE-2026-23891 Decidim — Exploit & Vulnerability Details CRITICAL

CVE-2026-23891

CRITICAL CVSS 4.0: 9.3 EPSS 0.05%

Parameter	Value
CVSS	9.3 (CRITICAL)
Type	CWE-79 (Cross-Site Scripting (XSS))
Vendor	Decidim
Public PoC	No

Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

None

No additional conditions

Privileges Required

Low

Basic privileges needed

User Interaction

Passive

Minimal interaction

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

Low

Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

References 3

https://github.com/decidim/decidim/releases/tag/v0.30.5

security-advisories@github.com

https://github.com/decidim/decidim/releases/tag/v0.31.1

security-advisories@github.com

https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g

security-advisories@github.com

Share Post Share Share Share

Menu

CVE-2026-23891

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 3

CVE Details

Editor's Choice

Menu

CVE-2026-23891

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

References 3

CVE Details

Editor's Choice

Stay informed on cybersecurity