Skip to main content

EUVDEUVD-2026-22024

| CVE-2026-23891 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-04-13 https://github.com/decidim/decidim GHSA-fc46-r95f-hq7g
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Patch released
Apr 13, 2026 - 20:30 nvd
Patch available
CVSS changed
Apr 13, 2026 - 17:22 NVD
9.3 (CRITICAL)
Analysis Generated
Apr 13, 2026 - 17:14 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 16:45 euvd
EUVD-2026-22024
Analysis Generated
Apr 13, 2026 - 16:45 vuln.today
CVE Published
Apr 13, 2026 - 16:35 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

Impact

A stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries.

Patches

N/A

Workarounds

Not available

References

OWASP ASVS v4.0.3-5.1.3

Credits

This issue was discovered in a security audit organized by octree and made by Secu Labs against Decidim financed by the city of Lausanne (Switzerland).

AnalysisAI

Stored code execution in Decidim's user name field allows authenticated attackers with low privileges to inject malicious code that executes in victims' browsers when they view comment pages, enabling account takeover and data theft across trust boundaries. The vulnerability affects the decidim-core RubyGem component. Patches are available in versions 0.30.5 and 0.31.1. No public exploit identified at time of analysis, though the attack vector is relatively straightforward for authenticated users.

Technical ContextAI

Decidim is an open-source participatory democracy platform built on Ruby on Rails. This vulnerability stems from insufficient input sanitization in the user name field (CWE-79: Improper Neutralization of Input During Web Page Generation). The affected component is the decidim-core RubyGem (pkg:rubygems/decidim-core), which provides core functionality for the Decidim platform. Unlike typical reflected XSS, this is a stored code execution vulnerability where malicious payloads persist in the database and execute whenever other users view pages containing the attacker's username, such as comment sections. The classification as both XSS and RCE in tags suggests the payload can achieve remote code execution in the browser context, potentially leveraging modern browser APIs or framework-specific features to escalate beyond traditional XSS limitations. The vulnerability was identified through a professional security audit conducted by Secu Labs for the city of Lausanne, indicating rigorous third-party validation. The OWASP ASVS v4.0.3-5.1.3 reference points to requirements for output encoding and injection prevention.

RemediationAI

Upgrade to patched versions immediately: decidim-core 0.30.5 for installations on the 0.30.x branch, or decidim-core 0.31.1 for the 0.31.x branch. Update the Gemfile to specify the fixed version and run bundle update decidim-core to apply the patch. Both releases are available from RubyGems and documented at https://github.com/decidim/decidim/releases/tag/v0.30.5 and https://github.com/decidim/decidim/releases/tag/v0.31.1 respectively. No workarounds are available according to the vendor advisory, making upgrade the only effective mitigation. After patching, audit existing user name fields for suspicious content and review access logs for potential exploitation indicators. Organizations unable to upgrade immediately should consider restricting user registration or implementing additional Web Application Firewall rules to detect script injection patterns, though these are incomplete mitigations. Review the security advisory at https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g for additional vendor guidance.

Share

EUVD-2026-22024 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy