CVE-2026-40870

Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that hav...

CVE-2026-40869 Decidim amendments can be accepted or rejected by anyone

Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature i...

CVE-2026-40870 Decidim's comments API allows access to all commentable resources

Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that hav...

CVE-2026-23891 Decidim has a Cross-site scripting (XSS) vulnerability via user name field

Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting...

CVE-2023-36465

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The templates module doesn't enforce the correct permissions, allowing any logged-in user to access to this functionality in t...

Cross Site Scripting(XSS)

Decidim is vulnerable to Cross-Site Scripting XSS attacks. The vulnerability is due to improper sanitization of admin activity logs, allowing XSS payloads to be injected when an admin assigns a valuator to a proposal or performs other actions that generate logs with malicious content...

Cross Site Scripting(XSS)

Decidim is vulnerable to Cross Site ScriptingXSS. The vulnerability is due to improper validation and sanitization of HTML content in the QuillJS WYSIWYG editor, which allows attackers to inject malicious code, such as an XSS payload, before the content is uploaded to the server...

Decidim security breach

Decidim is a participatory democracy framework, written in Ruby on Rails. A security vulnerability exists in versions of Decidim prior to 0.27.6, which stems from the ability to access certain data from an unpublished or private resource if an attacker can infer the slug or URL of that resource...

PT-2024-24596 · Decidim · Decidim

Name of the Vulnerable Software and Affected Versions: Decidim versions prior to 0.27.6 Decidim versions prior to 0.28.1 Description: The pagination feature used in searches and filters is subject to potential XSS attack through a malformed URL using the GET parameter per page. This issue was...

PT-2023-24663 · Ransack +2 · Ransack +2

Name of the Vulnerable Software and Affected Versions: Decidim versions prior to 0.27.3 Description: Decidim, a participatory democracy framework written in Ruby on Rails, uses a third-party library named Ransack for filtering certain database collections. By default, this library allows filterin...