GHSA-533c-2vh9-4r86MediumCVSS 4.8

Decidim: HTML content blocks allow stored script execution

Published
July 13, 2026
Last Modified
July 13, 2026

🔗 CVE IDs covered (1)

📋 Description

Description

A privileged admin user who can edit an affected landing page can store arbitrary HTML/JavaScript in an HTML block, and the public page renders it with html_safe and no output escaping.

Technical description

This issue lets any admin who can edit an affected landing page store arbitrary HTML and JavaScript in an HTML block. The block is then rendered back through Decidim::ContentBlocks::HtmlCell#html_content without a sanitization boundary, so the script executes later in visitor's browsers.

Impact

  • A user with landing-page editing rights for an affected scope can persist JavaScript that executes in visitor's browsers on that page.
  • Because exploitation already requires privileged administrative access, the practical risk is lower than a participant-controlled or unauthenticated stored XSS. It still creates a browser-execution primitive in a trusted admin-editable surface.

Patches

See https://github.com/decidim/decidim/pull/16451

Workarounds

Do not give admin permissions to non-trustful users.

Reference

Stored XSS

Credits

This issue was discovered in a security audit organized by the Decidim Association and made by Radically Open Security against Decidim financed by NGI.

🎯 Affected products3

  • rubygems/decidim-core:< 0.30.9
  • rubygems/decidim-core:>= 0.31.0.rc1, < 0.31.5
  • rubygems/decidim-core:>= 0.32.0.rc1, < 0.32.0

🔗 References (3)