CVE-2026-23891

UNKNOWN 0.0

Decidim has a Cross-site scripting (XSS) vulnerability via user name field

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.

CWE	CWE-79
Vendor	decidim
Product	decidim
Published	Apr 13, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for decidim decidim

Be the first to know when new unknown vulnerabilities affecting decidim decidim are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

decidim / decidim

>= 0.31.0.rc1, < 0.31.1 < 0.30.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g github.com: https://github.com/decidim/decidim/releases/tag/v0.30.5 github.com: https://github.com/decidim/decidim/releases/tag/v0.31.1