Decidim has a cross-site scripting (XSS) in user name

GHSA-fc46-r95f-hq7g · CVE-2026-23891

Published Apr 13, 2026 · Modified May 13, 2026

Description

Impact

A stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries.

Patches

N/A

Workarounds

Not available

References

OWASP ASVS v4.0.3-5.1.3

Credits

This issue was discovered in a security audit organized by octree and made by Secu Labs against Decidim financed by the city of Lausanne (Switzerland).

References

WEB https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-23891
PACKAGE https://github.com/decidim/decidim
WEB https://github.com/decidim/decidim/releases/tag/v0.30.5
WEB https://github.com/decidim/decidim/releases/tag/v0.31.1
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2026-23891.yml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes