cvedb.io
CVE-2026-23891
HIGH · CVSS 8.7
EPSS exploitation probability: 0%
Published 2026-04-13T17:16:28.063 · Last modified 2026-06-17T10:22:16.033

Summary

Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.

Affected products

decidim — decidim

Does this affect you?

Add your gear to cvedb and we'll alert you only when decidim ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.