240 matches found
CVE-2026-40870
Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that hav...
CVE-2026-40869
Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature i...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the commentable field in the API, which allows access to all commentable resources without permission checks. An attacker can retrieve sensitive information by sending unauthenticated requests to the /api...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the commentable field in the API, which allows access to all commentable resources without permission checks. An attacker can retrieve sensitive information by sending unauthenticated requests to the /api...
CVE-2026-40869 Decidim amendments can be accepted or rejected by anyone
Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature i...
CVE-2026-40869
CVE-2026-40869 — Decidim : Affected versions of the Decidim framework (starting from 0.19.0 up to, but not including, 0.30.5 and 0.31.1) allow any registered and authenticated user to accept or reject amendments. The vulnerability stems from insufficient permission checks in the amendment accepta...
CVE-2026-40869 Decidim amendments can be accepted or rejected by anyone
Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature i...
CVE-2026-40870
The CVE affects the Decidim framework: root-level commentable in the API (under /api) lets unauthenticated users access all commentable resources, bypassing permission checks. Affected versions are 0.0.1 up to but not including 0.30.5 and 0.31.1. The issue is fixed in 0.30.5 and 0.31.1. Mitigatio...
CVE-2026-40870 Decidim's comments API allows access to all commentable resources
Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that hav...
EUVD-2026-24252
Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that hav...
CVE-2026-40870 Decidim's comments API allows access to all commentable resources
Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that hav...
Decidim 安全漏洞
Decidim is an open-source participatory democracy framework developed using Ruby on Rails. Versions of Decidim from 0.0.1 to 0.30.5 and 0.31.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of permission checks for the commentable fields in the API, which could...
PT-2026-34052
Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that hav...
Decidim 安全漏洞
Decidim is an open-source participatory democracy framework developed using Ruby on Rails. Versions of Decidim from 0.19.0 to 0.30.5 and 0.31.1 contained security vulnerabilities. These vulnerabilities stemmed from allowing any registered and authenticated user to accept or reject any amendment,...
Cross-site Scripting (XSS)
Decidim is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of user input in the user name field, which allows an attacker to inject and execute arbitrary code when other users view affected pages...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the amendment acceptance flow. An attacker can gain unauthorized coauthorship and modify proposal outcomes by submitting amendment accept or reject actions without proper authorization checks. Workaround This...
CVE-2026-23891
Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting...
Decidim's comments API allows access to all commentable resources
Impact The root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the /api endpoint. The /api endpoint is publicly available with the default configuration...
Decidim's comments API allows access to all commentable resources
Impact The root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the /api endpoint. The /api endpoint is publicly available with the default configuration...
CVE-2026-23891 Decidim has a Cross-site scripting (XSS) vulnerability via user name field
Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting...