CVE-2026-23891
Received Received - Intake
Stored Code Execution in Decidim Username Field Enables Remote Attack

Publication date: 2026-04-13

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23891
EUVD
EUVD-2026-22024
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
decidim decidim to 0.30.5 (exc)
decidim decidim From 0.31.0 (inc) to 0.31.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23891 is a critical stored cross-site scripting (XSS) vulnerability in the Decidim participatory democracy framework. It occurs in the user name field, where a low-privileged attacker can inject malicious code. This code is then executed in the context of any user who passively visits a comment page containing the malicious input.

The vulnerability allows arbitrary code execution without requiring any interaction beyond visiting the affected page, leading to high confidentiality and integrity impacts across security boundaries.

Impact Analysis

This vulnerability can have severe impacts including unauthorized execution of arbitrary code in the context of other users. An attacker with low privileges can exploit this by injecting malicious code into the user name field, which executes when other users visit a comment page.

The consequences include high confidentiality and integrity impacts, meaning sensitive data could be exposed or altered, and the security boundaries of the application can be compromised.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-23891 in Decidim, you should upgrade your Decidim installation to version 0.30.5 or 0.31.1, where the issue has been fixed.

The upgrade process includes the following steps:

  • Back up your database, application code, and static files before upgrading.
  • Update your Gemfile to specify Decidim version 0.30.5 or 0.31.1 for the "decidim" and "decidim-dev" gems.
  • Run the command `bundle update decidim`.
  • Run database migrations using `bin/rails db:migrate`.
  • Run Decidim upgrade commands such as `bin/rails decidim:upgrade` and data cleanup commands like `bin/rails decidim:upgrade:remove_deleted_users_left_data` and `bin/rails decidim:upgrade:fix_deleted_private_follows`.

Ensure you complete all prior update steps and maintain full backups before upgrading to avoid data loss or instability.

Compliance Impact

The vulnerability allows arbitrary code execution in the context of any user who visits a comment page containing malicious input, resulting in high confidentiality and integrity impact across security boundaries.

This severe risk compromises data confidentiality and integrity, which are critical aspects of compliance with common standards and regulations such as GDPR and HIPAA.

Additionally, the vulnerability violates OWASP ASVS v4.0.3-5.1.3 guidelines, indicating non-compliance with recognized security best practices that underpin many regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23891. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart