← voltar
CVE-2026-23891

Decidim has a Cross-site scripting (XSS) vulnerability via user name field

CVSS 9.3 CRITICALEPSS 0.4%CWE-79
Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
Produtos afetados
decidim · decidim

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/decidim/decidim/releases/tag/v0.30.5https://github.com/decidim/decidim/releases/tag/v0.31.1https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g