Platform
ruby
Component
decidim-core
Fixed in
0.31.1
0.30.6
0.31.1
CVE-2026-23891 describes a stored Cross-Site Scripting (XSS) vulnerability within the user name field of Decidim-Core. This flaw allows a low-privileged attacker to inject malicious code that executes when other users view comment pages, potentially compromising their sessions and data. The vulnerability affects versions of Decidim-Core up to and including 0.31.0.rc2; an upgrade to version 0.31.1 is required to address the issue.
The impact of this XSS vulnerability is severe. An attacker can leverage it to execute arbitrary JavaScript code within the context of any user who views a comment page. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data. The vulnerability's stored nature means that the malicious code persists on the server, potentially affecting a large number of users over time. The potential for widespread impact across security boundaries makes this a critical concern.
CVE-2026-23891 was discovered during a security audit organized by octree and conducted by Secu Labs against Decidim, financed by the city of Lausanne (Switzerland). The vulnerability's severity is rated as CRITICAL (CVSS 9.5). Public proof-of-concept (POC) code is not currently available, but the ease of exploitation suggests it may emerge. The vulnerability has been published on 2026-04-13 and is being tracked by the NVD.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
Currently, there are no available patches or workarounds for CVE-2026-23891. The primary mitigation strategy is to immediately upgrade Decidim-Core to version 0.31.1 or later. Until the upgrade is possible, consider implementing strict input validation and output encoding on all user-supplied data, particularly within the user name field. While not a complete solution, this can help reduce the attack surface. Regularly review and update security configurations to minimize potential risks. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the user name field and verifying that it is properly sanitized.
Actualice Decidim a la versión 0.30.5 o superior (0.31.1) para mitigar la vulnerabilidad XSS. Esta actualización corrige el problema al sanitizar correctamente la entrada del usuario en el campo del nombre de usuario, previniendo la ejecución de código malicioso. Consulte las notas de la versión para obtener instrucciones detalladas de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23891 is a CRITICAL Cross-Site Scripting (XSS) vulnerability in Decidim-Core versions up to 0.31.0.rc2. It allows attackers to execute malicious code in the context of other users, potentially compromising their sessions and data.
You are affected if you are running Decidim-Core versions 0.31.0.rc2 or earlier. Immediately check your version and upgrade to 0.31.1 or later to mitigate the risk.
The recommended fix is to upgrade Decidim-Core to version 0.31.1 or later. There are currently no available workarounds.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation suggest it may become a target. Monitor your systems closely.
Refer to the official Decidim security advisory for detailed information and updates regarding CVE-2026-23891. Check the Decidim website and security mailing lists for announcements.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.