High severity8.7NVD Advisory· Published Apr 13, 2026· Updated Apr 22, 2026
CVE-2026-23891
CVE-2026-23891
Description
Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-fc46-r95f-hq7gghsaADVISORY
- github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7gnvdVendor Advisory
- github.com/decidim/decidim/releases/tag/v0.30.5nvdProductRelease Notes
- github.com/decidim/decidim/releases/tag/v0.31.1nvdProductRelease Notes
- github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2026-23891.ymlghsa
- nvd.nist.gov/vuln/detail/CVE-2026-23891ghsa
News mentions
0No linked articles in our index yet.