CVE-2026-23891
Published: 13 April 2026
Summary
CVE-2026-23891 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Decidim Decidim. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-23891 is a stored code execution vulnerability in the user name field of Decidim, an open-source participatory democracy framework. It affects Decidim versions below 0.30.5 and versions from 0.31.0.rc1 through 0.31.0. Published on 2026-04-13, the flaw is tied to CWE-79 (cross-site scripting) and carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its potential for cross-context impacts on confidentiality and integrity.
A low-privileged attacker (PR:L) can exploit the vulnerability over the network (AV:N) by injecting arbitrary code into their username, which is stored on comment pages. When any user passively visits such a page (UI:R), the code executes in the victim's browser context (S:C), enabling high-impact confidentiality and integrity violations, such as data theft or manipulation, without requiring elevated privileges.
The vulnerability has been fixed in Decidim versions 0.30.5 and 0.31.1, as detailed in the project's GitHub security advisory (GHSA-fc46-r95f-hq7g) and release notes for those versions. Security practitioners should prioritize upgrading affected instances to these patched releases to mitigate the risk.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22024
Vulnerability details
Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively…
more
visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables direct arbitrary JavaScript execution in victim browsers (T1059.007) after exploiting the public-facing Decidim web application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring identification, reporting, and correction of the stored code execution flaw through timely patching to versions 0.30.5 or 0.31.1.
Enforces validation of user name inputs to block injection of arbitrary code like XSS payloads into stored comments.
Requires filtering of information outputs when rendering user names on comment pages to prevent execution of stored malicious code in visitors' browsers.