RubySec

Providing security resources for the Ruby community

CVE-2026-45572 (decidim-core): Decidim - HTML content blocks allow stored script execution

Decidim - HTML content blocks allow stored script execution

Published: July 13, 2026

SECURITY IDENTIFIERS

GEM

decidim-core

SEVERITY

CVSS v3.x: 4.8 (Medium)

PATCHED VERSIONS

~> 0.30.9 ~> 0.31.5 >= 0.32.0

DESCRIPTION

Description

A privileged admin user who can edit an affected landing page can store arbitrary HTML/JavaScript in an HTML block, and the public page renders it with html_safe and no output escaping.

Impact

  • A user with landing-page editing rights for an affected scope can persist JavaScript that executes in visitor's browsers on that page.
  • Because exploitation already requires privileged administrative access, the practical risk is lower than a participant-controlled or unauthenticated stored XSS. It still creates a browser-execution primitive in a trusted admin-editable surface.

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

RELATED