CVE-2026-23891
Stored Code Execution in Decidim Username Field Enables Remote Attack
Publication date: 2026-04-13
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| decidim | decidim | to 0.30.5 (exc) |
| decidim | decidim | From 0.31.0 (inc) to 0.31.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23891 is a critical stored cross-site scripting (XSS) vulnerability in the Decidim participatory democracy framework. It occurs in the user name field, where a low-privileged attacker can inject malicious code. This code is then executed in the context of any user who passively visits a comment page containing the malicious input.
The vulnerability allows arbitrary code execution without requiring any interaction beyond visiting the affected page, leading to high confidentiality and integrity impacts across security boundaries.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of arbitrary code in the context of other users. An attacker with low privileges can exploit this by injecting malicious code into the user name field, which executes when other users visit a comment page.
The consequences include high confidentiality and integrity impacts, meaning sensitive data could be exposed or altered, and the security boundaries of the application can be compromised.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2026-23891 in Decidim, you should upgrade your Decidim installation to version 0.30.5 or 0.31.1, where the issue has been fixed.
The upgrade process includes the following steps:
- Back up your database, application code, and static files before upgrading.
- Update your Gemfile to specify Decidim version 0.30.5 or 0.31.1 for the "decidim" and "decidim-dev" gems.
- Run the command `bundle update decidim`.
- Run database migrations using `bin/rails db:migrate`.
- Run Decidim upgrade commands such as `bin/rails decidim:upgrade` and data cleanup commands like `bin/rails decidim:upgrade:remove_deleted_users_left_data` and `bin/rails decidim:upgrade:fix_deleted_private_follows`.
Ensure you complete all prior update steps and maintain full backups before upgrading to avoid data loss or instability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary code execution in the context of any user who visits a comment page containing malicious input, resulting in high confidentiality and integrity impact across security boundaries.
This severe risk compromises data confidentiality and integrity, which are critical aspects of compliance with common standards and regulations such as GDPR and HIPAA.
Additionally, the vulnerability violates OWASP ASVS v4.0.3-5.1.3 guidelines, indicating non-compliance with recognized security best practices that underpin many regulatory requirements.