CVE-2026-23891 (decidim-core): Decidim has a cross-site scripting (XSS) in user name

Decidim has a cross-site scripting (XSS) in user name

Published: April 13, 2026

SECURITY IDENTIFIERS

CVE: CVE-2026-23891 (NVD)
GHSA: GHSA-fc46-r95f-hq7g
Vendor Advisory: https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g

GEM

decidim-core

PATCHED VERSIONS

~> 0.30.5 >= 0.31.1

DESCRIPTION

Impact

A stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries.

Patches

N/A

Workarounds

Not available

References

OWASP ASVS v4.0.3-5.1.3

Credits

This issue was discovered in a security audit organized by octree and made by Secu Labs against Decidim financed by the city of Lausanne (Switzerland).

https://github.com/decidim/decidim/releases/tag/v0.31.1
https://github.com/decidim/decidim/releases/tag/v0.30.5
https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g
https://github.com/advisories/GHSA-fc46-r95f-hq7g

RubySec