Decidim
Products
1- Decidim18 CVEsgem
Recent CVEs
18| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-23891 | Hig | 0.50 | 8.7 | 0.00 | Apr 13, 2026 | Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a… | ||
| CVE-2026-40869 | Hig | 0.42 | 7.5 | 0.00 | Apr 21, 2026 | Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the… | ||
| CVE-2024-41673 | Hig | 0.39 | 7.1 | 0.00 | Oct 1, 2024 | Decidim is a participatory democracy framework. The version control feature used in resources is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.27.8. | ||
| CVE-2024-32469 | Hig | 0.39 | 7.1 | 0.00 | Jul 10, 2024 | Decidim is a participatory democracy framework. The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter `per_page`. This vulnerability is fixed in 0.27.6 and 0.28.1. | ||
| CVE-2024-27090 | Med | 0.27 | 5.3 | 0.00 | Jul 10, 2024 | Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be… | ||
| CVE-2025-65017 | 0.00 | — | 0.00 | Feb 3, 2026 | Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in… | |||
| CVE-2024-45594 | 0.00 | — | 0.00 | Nov 13, 2024 | Decidim is a participatory democracy framework. The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.28.3 and 0.29.0. | |||
| CVE-2024-39910 | 0.00 | — | 0.00 | Sep 16, 2024 | decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The… | |||
| CVE-2024-32034 | 0.00 | — | 0.00 | Sep 16, 2024 | decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action… | |||
| CVE-2024-27095 | 0.00 | — | 0.00 | Jul 10, 2024 | Decidim is a participatory democracy framework. The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server. This vulnerability is fixed in 0.27.6 and 0.28.1. | |||
| CVE-2023-51447 | 0.00 | — | 0.00 | Feb 20, 2024 | Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being… | |||
| CVE-2023-48220 | 0.00 | — | 0.01 | Feb 20, 2024 | Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue… | |||
| CVE-2023-47635 | 0.00 | — | 0.00 | Feb 20, 2024 | Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have… | |||
| CVE-2023-47634 | 0.00 | — | 0.00 | Feb 20, 2024 | Decidim is a participatory democracy framework. Starting in version 0.10.0 and prior to versions 0.26.9, 0.27.5, and 0.28.0, a race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement. To exploit this… | |||
| CVE-2023-36465 | 0.00 | — | 0.01 | Oct 6, 2023 | Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to… | |||
| CVE-2023-34089 | 0.00 | — | 0.01 | Jul 11, 2023 | Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to… | |||
| CVE-2023-34090 | 0.00 | — | 0.01 | Jul 11, 2023 | Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. Decidim uses a third-party library named Ransack for filtering certain database collections (e.g., public… | |||
| CVE-2023-32693 | 0.00 | — | 0.01 | Jul 11, 2023 | Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute… |
- risk 0.50cvss 8.7epss 0.00
Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a…
- risk 0.42cvss 7.5epss 0.00
Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the…
- risk 0.39cvss 7.1epss 0.00
Decidim is a participatory democracy framework. The version control feature used in resources is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.27.8.
- risk 0.39cvss 7.1epss 0.00
Decidim is a participatory democracy framework. The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter `per_page`. This vulnerability is fixed in 0.27.6 and 0.28.1.
- risk 0.27cvss 5.3epss 0.00
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be…
- CVE-2025-65017Feb 3, 2026risk 0.00cvss —epss 0.00
Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in…
- CVE-2024-45594Nov 13, 2024risk 0.00cvss —epss 0.00
Decidim is a participatory democracy framework. The meeting embeds feature used in the online or hybrid meetings is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.28.3 and 0.29.0.
- CVE-2024-39910Sep 16, 2024risk 0.00cvss —epss 0.00
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The…
- CVE-2024-32034Sep 16, 2024risk 0.00cvss —epss 0.00
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action…
- CVE-2024-27095Jul 10, 2024risk 0.00cvss —epss 0.00
Decidim is a participatory democracy framework. The admin panel is subject to potential XSS attach in case the attacker manages to modify some records being uploaded to the server. This vulnerability is fixed in 0.27.6 and 0.28.1.
- CVE-2023-51447Feb 20, 2024risk 0.00cvss —epss 0.00
Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the dynamic file upload feature is subject to potential cross-site scripting attacks in case the attacker manages to modify the file names of the records being…
- CVE-2023-48220Feb 20, 2024risk 0.00cvss —epss 0.01
Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and prior to version 2.0.9 of the `devise_invitable` gem, the invites feature allows users to accept the invitation for an unlimited amount of time through the password reset functionality. This issue…
- CVE-2023-47635Feb 20, 2024risk 0.00cvss —epss 0.00
Decidim is a participatory democracy framework. Starting in version 0.23.0 and prior to versions 0.27.5 and 0.28.0, the CSRF authenticity token check is disabled for the questionnaire templates preview. The issue does not imply a serious security thread as you need to have…
- CVE-2023-47634Feb 20, 2024risk 0.00cvss —epss 0.00
Decidim is a participatory democracy framework. Starting in version 0.10.0 and prior to versions 0.26.9, 0.27.5, and 0.28.0, a race condition in the endorsement of resources (for instance, a proposal) allows a user to make more than once endorsement. To exploit this…
- CVE-2023-36465Oct 6, 2023risk 0.00cvss —epss 0.01
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The `templates` module doesn't enforce the correct permissions, allowing any logged-in user to access to…
- CVE-2023-34089Jul 11, 2023risk 0.00cvss —epss 0.01
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to…
- CVE-2023-34090Jul 11, 2023risk 0.00cvss —epss 0.01
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. Decidim uses a third-party library named Ransack for filtering certain database collections (e.g., public…
- CVE-2023-32693Jul 11, 2023risk 0.00cvss —epss 0.01
Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute…