Updated advisory posts against rubysec/ruby-advisory-db@bb1ce69

flavorjones · RubySec CI · commit 816ea58a2d52 · 2026-05-12T14:24:37.000Z
diff --git a/advisories/_posts/2026-04-13-CVE-2026-23891.md b/advisories/_posts/2026-04-13-CVE-2026-23891.md
@@ -0,0 +1,50 @@
+---
+layout: advisory
+title: 'CVE-2026-23891 (decidim-core): Decidim has a cross-site scripting (XSS) in
+  user name'
+comments: false
+categories:
+- decidim-core
+advisory:
+  gem: decidim-core
+  cve: 2026-23891
+  ghsa: fc46-r95f-hq7g
+  url: https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g
+  title: Decidim has a cross-site scripting (XSS) in user name
+  date: 2026-04-13
+  description: |-
+    ### Impact
+
+    A stored code execution vulnerability in the user name field allows
+    a low-privileged attacker to execute arbitrary code in the context
+    of any user who passively visits a comment page, resulting in high
+    confidentiality and integrity impact across security boundaries.
+
+    ### Patches
+
+    N/A
+
+    ### Workarounds
+
+    Not available
+
+    ### References
+
+    OWASP ASVS v4.0.3-5.1.3
+
+    ### Credits
+
+    This issue was discovered in a security audit organized by
+    [octree](https://octree.ch/) and made by
+    [Secu Labs](https://seculabs.ch/) against Decidim financed
+    by the city of Lausanne (Switzerland).
+  patched_versions:
+  - "~> 0.30.5"
+  - ">= 0.31.1"
+  related:
+    url:
+    - https://github.com/decidim/decidim/releases/tag/v0.31.1
+    - https://github.com/decidim/decidim/releases/tag/v0.30.5
+    - https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g
+    - https://github.com/advisories/GHSA-fc46-r95f-hq7g
+---
