Skip to main content

Decidim CVE-2026-45572

MEDIUM
Code Injection (CWE-94)
2026-07-13 https://github.com/decidim/decidim GHSA-533c-2vh9-4r86
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

PR:H reflects mandatory admin-level landing-page editing rights; S:C applies because the injected script executes in visitor browser contexts outside the server trust boundary.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 13, 2026 - 19:41 vuln.today
Analysis Generated
Jul 13, 2026 - 19:41 vuln.today

DescriptionGitHub Advisory

Description

A privileged admin user who can edit an affected landing page can store arbitrary HTML/JavaScript in an HTML block, and the public page renders it with html_safe and no output escaping.

Technical description

This issue lets any admin who can edit an affected landing page store arbitrary HTML and JavaScript in an HTML block. The block is then rendered back through Decidim::ContentBlocks::HtmlCell#html_content without a sanitization boundary, so the script executes later in visitor's browsers.

<img width="1541" height="439" alt="decidim-html-xss-01" src="https://github.com/user-attachments/assets/acae1c06-8acb-49be-ab12-aabae33190ce" />

<img width="1540" height="752" alt="decidim-html-xss-02" src="https://github.com/user-attachments/assets/a2f1fa7f-03f3-4d17-b58b-f4db865443e9" />

Impact

  • A user with landing-page editing rights for an affected scope can persist JavaScript that executes in visitor's browsers on that page.
  • Because exploitation already requires privileged administrative access, the practical risk is lower than a participant-controlled or unauthenticated stored XSS. It still creates a browser-execution primitive in a trusted admin-editable surface.

Patches

See https://github.com/decidim/decidim/pull/16451

Workarounds

Do not give admin permissions to non-trustful users.

Reference

Stored XSS

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

AnalysisAI

Stored XSS in Decidim's HTML content blocks allows any administrator with landing-page editing rights to persist arbitrary JavaScript that executes in every visitor's browser. The vulnerability affects the decidim-core RubyGem across three release branches (below 0.30.9, 0.31.5, and 0.32.0) and was confirmed through a professional security audit by Radically Open Security. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise Decidim admin account with landing-page editing rights
Delivery
Access HTML content block editor in admin interface
Exploit
Inject malicious JavaScript payload and save
Execution
Victim visitor loads affected public page
Persist
Browser executes stored script
Impact
Exfiltrate session tokens or perform victim-context actions

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Decidim administrator account that has been explicitly granted landing-page editing rights for the target scope (homepage or static page content blocks). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 4.8 (Medium) correctly reflects the two key constraints: PR:H (high privileges required - the attacker must already hold admin-level landing-page editing rights) and UI:R (a victim visitor must load the affected page). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised Decidim admin with landing-page editing rights accesses an HTML content block on the organization's public homepage, embeds a JavaScript payload designed to exfiltrate visitor session cookies to an attacker-controlled endpoint, and saves the change. Every visitor who subsequently loads that public page executes the script silently in their browser, exposing their session or allowing the attacker to perform authenticated actions on their behalf. …
Remediation Upgrade decidim-core to the first non-vulnerable release for your branch: version 0.30.9 for 0.30.x deployments, version 0.31.5 for 0.31.x deployments, or version 0.32.0 for 0.32.x deployments. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-45572 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy