VYPR
High severity8.7NVD Advisory· Published Apr 13, 2026· Updated Apr 22, 2026

CVE-2026-23891

CVE-2026-23891

Description

Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
decidim-coreRubyGems
>= 0.31.0.rc1, < 0.31.10.31.1
decidim-coreRubyGems
< 0.30.50.30.5

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.