CVE-2026-23891
Received Received - Intake

Stored Code Execution in Decidim Username Field Enables Remote Attack

Vulnerability report for CVE-2026-23891, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-13

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description

Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-13
Last Modified
2026-04-22
Generated
2026-07-06
AI Q&A
2026-04-13
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
decidim decidim to 0.30.5 (exc)
decidim decidim From 0.31.0 (inc) to 0.31.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-23891 is a critical stored cross-site scripting (XSS) vulnerability in the Decidim participatory democracy framework. It occurs in the user name field, where a low-privileged attacker can inject malicious code. This code is then executed in the context of any user who passively visits a comment page containing the malicious input.

The vulnerability allows arbitrary code execution without requiring any interaction beyond visiting the affected page, leading to high confidentiality and integrity impacts across security boundaries.

Impact Analysis

This vulnerability can have severe impacts including unauthorized execution of arbitrary code in the context of other users. An attacker with low privileges can exploit this by injecting malicious code into the user name field, which executes when other users visit a comment page.

The consequences include high confidentiality and integrity impacts, meaning sensitive data could be exposed or altered, and the security boundaries of the application can be compromised.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-23891 in Decidim, you should upgrade your Decidim installation to version 0.30.5 or 0.31.1, where the issue has been fixed.

The upgrade process includes the following steps:

  • Back up your database, application code, and static files before upgrading.
  • Update your Gemfile to specify Decidim version 0.30.5 or 0.31.1 for the "decidim" and "decidim-dev" gems.
  • Run the command `bundle update decidim`.
  • Run database migrations using `bin/rails db:migrate`.
  • Run Decidim upgrade commands such as `bin/rails decidim:upgrade` and data cleanup commands like `bin/rails decidim:upgrade:remove_deleted_users_left_data` and `bin/rails decidim:upgrade:fix_deleted_private_follows`.

Ensure you complete all prior update steps and maintain full backups before upgrading to avoid data loss or instability.

Compliance Impact

The vulnerability allows arbitrary code execution in the context of any user who visits a comment page containing malicious input, resulting in high confidentiality and integrity impact across security boundaries.

This severe risk compromises data confidentiality and integrity, which are critical aspects of compliance with common standards and regulations such as GDPR and HIPAA.

Additionally, the vulnerability violates OWASP ASVS v4.0.3-5.1.3 guidelines, indicating non-compliance with recognized security best practices that underpin many regulatory requirements.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23891. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart