DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23891: CVE-2026-23891: Critical Stored Cross-Site Scripting (XSS) in Decidim User Profiles

#security #cve #cybersecurity

CVE-2026-23891: Critical Stored Cross-Site Scripting (XSS) in Decidim User Profiles

Vulnerability ID: CVE-2026-23891
CVSS Score: 9.3
Published: 2026-04-13

Decidim versions prior to 0.30.5 and 0.31.1 suffer from a critical stored Cross-Site Scripting (XSS) vulnerability. The framework fails to properly sanitize user-provided names and nicknames before rendering them across multiple contexts, including public comments, notifications, and highly privileged administrative audit logs. This allows authenticated attackers with standard participant privileges to execute arbitrary JavaScript in the context of other users, leading to session hijacking and administrative account takeover.

TL;DR

A stored XSS vulnerability in the Decidim framework allows low-privileged users to inject malicious scripts via profile fields. These payloads execute when viewed by other users or administrators, enabling session hijacking and unauthorized actions.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v4.0 Score: 9.3
  • Impact: High Confidentiality, High Integrity
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed
  • Affected Component: User Profile Rendering
  • Patch Status: Fixed in 0.30.5, 0.31.1

Affected Systems

  • Decidim Framework
  • decidim_users table
  • Action Logs (paper_trail)
  • Notification System
  • Decidim: < 0.30.5 (Fixed in: 0.30.5)
  • Decidim: >= 0.31.0.rc1, <= 0.31.0 (Fixed in: 0.31.1)

Code Analysis

Commit: 63ae6a7

Refactored internal census form validation to use secure authorization status collections.

Mitigation Strategies

  • Input Sanitization
  • View Layer Hardening
  • Lifecycle Cleanup
  • Editor Hardening

Remediation Steps:

  1. Upgrade Decidim to version 0.30.5 or 0.31.1.
  2. Execute the cleanup Rake task: bin/rails decidim:upgrade:remove_deleted_users_left_data
  3. Execute the follow cleanup task: bin/rails decidim:upgrade:fix_deleted_private_follows
  4. Audit existing usernames in the database for malicious HTML or script tags.

References

Read the full report for CVE-2026-23891 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)