RubyGems package

decidim

pkg:gem/decidim

Vulnerabilities (12)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-65017		—	>= 0.30.0, < 0.30.4	0.30.4	Feb 3, 2026	Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in v
CVE-2024-41673	Hig	7.1	< 0.27.8	0.27.8	Oct 1, 2024	Decidim is a participatory democracy framework. The version control feature used in resources is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.27.8.
CVE-2024-39910		—	< 0.27.7	0.27.7	Sep 16, 2024	decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The att
CVE-2024-32469	Hig	7.1	< 0.27.6	0.27.6	Jul 10, 2024	Decidim is a participatory democracy framework. The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter `per_page`. This vulnerability is fixed in 0.27.6 and 0.28.1.
CVE-2024-27090	Med	5.3	< 0.27.6	0.27.6	Jul 10, 2024	Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embb
CVE-2023-51447		—	>= 0.27.0, < 0.27.5	0.27.5	Feb 20, 2024	Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uplo
CVE-2023-48220		—	>= 0.0.1.alpha3, < 0.26.9	0.26.9	Feb 20, 2024	Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue cre
CVE-2023-47634		—	>= 0.10.0, < 0.26.9	0.26.9	Feb 20, 2024	Decidim is a participatory democracy framework. Starting in version 0.10.0 and prior to versions 0.26.9, 0.27.5, and 0.28.0, a race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement. To exploit this vulnerability
CVE-2023-36465		—	>= 0.23.2, < 0.26.8	0.26.8	Oct 6, 2023	Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to this
CVE-2023-34089		—	>= 0.14.0, < 0.26.7	0.26.7	Jul 11, 2023	Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute
CVE-2023-34090		—	>= 0.27.0, < 0.27.3	0.27.3	Jul 11, 2023	Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. Decidim uses a third-party library named Ransack for filtering certain database collections (e.g., public mee
CVE-2023-32693		—	>= 0.25.0, < 0.26.7	0.26.7	Jul 11, 2023	Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute Ja

CVE-2025-65017Feb 3, 2026
affected >= 0.30.0, < 0.30.4fixed 0.30.4
Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in v
CVE-2024-41673HigOct 1, 2024
affected < 0.27.8fixed 0.27.8
Decidim is a participatory democracy framework. The version control feature used in resources is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.27.8.
CVE-2024-39910Sep 16, 2024
affected < 0.27.7fixed 0.27.7
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The att
CVE-2024-32469HigJul 10, 2024
affected < 0.27.6fixed 0.27.6
Decidim is a participatory democracy framework. The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter `per_page`. This vulnerability is fixed in 0.27.6 and 0.28.1.
CVE-2024-27090MedJul 10, 2024
affected < 0.27.6fixed 0.27.6
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embb
CVE-2023-51447Feb 20, 2024
affected >= 0.27.0, < 0.27.5fixed 0.27.5
Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being uplo
CVE-2023-48220Feb 20, 2024
affected >= 0.0.1.alpha3, < 0.26.9fixed 0.26.9
Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue cre
CVE-2023-47634Feb 20, 2024
affected >= 0.10.0, < 0.26.9fixed 0.26.9
Decidim is a participatory democracy framework. Starting in version 0.10.0 and prior to versions 0.26.9, 0.27.5, and 0.28.0, a race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement. To exploit this vulnerability
CVE-2023-36465Oct 6, 2023
affected >= 0.23.2, < 0.26.8fixed 0.26.8
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to this
CVE-2023-34089Jul 11, 2023
affected >= 0.14.0, < 0.26.7fixed 0.26.7
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute
CVE-2023-34090Jul 11, 2023
affected >= 0.27.0, < 0.27.3fixed 0.27.3
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. Decidim uses a third-party library named Ransack for filtering certain database collections (e.g., public mee
CVE-2023-32693Jul 11, 2023
affected >= 0.25.0, < 0.26.7fixed 0.26.7
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute Ja