Decidim CVE-2026-45572
MEDIUMSeverity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
PR:H reflects mandatory admin-level landing-page editing rights; S:C applies because the injected script executes in visitor browser contexts outside the server trust boundary.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Description
A privileged admin user who can edit an affected landing page can store arbitrary HTML/JavaScript in an HTML block, and the public page renders it with html_safe and no output escaping.
Technical description
This issue lets any admin who can edit an affected landing page store arbitrary HTML and JavaScript in an HTML block. The block is then rendered back through Decidim::ContentBlocks::HtmlCell#html_content without a sanitization boundary, so the script executes later in visitor's browsers.
<img width="1541" height="439" alt="decidim-html-xss-01" src="https://github.com/user-attachments/assets/acae1c06-8acb-49be-ab12-aabae33190ce" />
<img width="1540" height="752" alt="decidim-html-xss-02" src="https://github.com/user-attachments/assets/a2f1fa7f-03f3-4d17-b58b-f4db865443e9" />
Impact
- A user with landing-page editing rights for an affected scope can persist JavaScript that executes in visitor's browsers on that page.
- Because exploitation already requires privileged administrative access, the practical risk is lower than a participant-controlled or unauthenticated stored XSS. It still creates a browser-execution primitive in a trusted admin-editable surface.
Patches
See https://github.com/decidim/decidim/pull/16451
Workarounds
Do not give admin permissions to non-trustful users.
Reference
Stored XSS
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
AnalysisAI
Stored XSS in Decidim's HTML content blocks allows any administrator with landing-page editing rights to persist arbitrary JavaScript that executes in every visitor's browser. The vulnerability affects the decidim-core RubyGem across three release branches (below 0.30.9, 0.31.5, and 0.32.0) and was confirmed through a professional security audit by Radically Open Security. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Decidim administrator account that has been explicitly granted landing-page editing rights for the target scope (homepage or static page content blocks). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 4.8 (Medium) correctly reflects the two key constraints: PR:H (high privileges required - the attacker must already hold admin-level landing-page editing rights) and UI:R (a victim visitor must load the affected page). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised Decidim admin with landing-page editing rights accesses an HTML content block on the organization's public homepage, embeds a JavaScript payload designed to exfiltrate visitor session cookies to an attacker-controlled endpoint, and saves the change. Every visitor who subsequently loads that public page executes the script silently in their browser, exposing their session or allowing the attacker to perform authenticated actions on their behalf. … |
| Remediation | Upgrade decidim-core to the first non-vulnerable release for your branch: version 0.30.9 for 0.30.x deployments, version 0.31.5 for 0.31.x deployments, or version 0.32.0 for 0.32.x deployments. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-533c-2vh9-4r86