Decidim - HTML content blocks allow stored script execution
Published: July 13, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-45572 (NVD)
- GHSA: GHSA-533c-2vh9-4r86
GEM
SEVERITY
CVSS v3.x: 4.8 (Medium)
PATCHED VERSIONS
~> 0.30.9
~> 0.31.5
>= 0.32.0
DESCRIPTION
Description
A privileged admin user who can edit an affected landing page can
store arbitrary HTML/JavaScript in an HTML block, and the public
page renders it with html_safe and no output escaping.
Impact
- A user with landing-page editing rights for an affected scope can persist JavaScript that executes in visitor's browsers on that page.
- Because exploitation already requires privileged administrative access, the practical risk is lower than a participant-controlled or unauthenticated stored XSS. It still creates a browser-execution primitive in a trusted admin-editable surface.
Credits
This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-45572
- https://rubygems.org/gems/decidim-core/versions/0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.32.0
- https://github.com/decidim/decidim/releases/tag/v0.31.5
- https://github.com/decidim/decidim/releases/tag/v0.30.9
- https://github.com/decidim/decidim/pull/16451
- https://advisories.gitlab.com/gem/decidim-core/CVE-2026-45572
- https://github.com/decidim/decidim/security/advisories/GHSA-533c-2vh9-4r86
- https://github.com/advisories/GHSA-533c-2vh9-4r86
