Search for packages
| purl | pkg:gem/decidim-core@0.28.4 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-25zg-267g-w3cn
Aliases: CVE-2025-65017 GHSA-3cx6-j9j4-54mp |
Decidim's private data exports can lead to data leaks Private data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs. The bug was introduced by #13571 and affects Decidim versions 0.30.0 or newer (currently 2025-09-23). This issue was discovered by running the following spec several times in a row, as it can randomly fail due to this bug: ```bash $ cd decidim-core $ for i in {1..10}; do bundle exec rspec spec/jobs/decidim/download_your_data_export_job_spec.rb -e "deletes the" || break ; done ``` Run the spec as many times as needed to hit a UUID that converts to `0` through `.to_i`. The UUID to zero conversion does not cause a security issue but the security issue is demonstrated with the following example. The following code regenerates the issue by assigning a predefined UUID that will generate a collision (example assumes there are already two existing users in the system): ```ruby |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-k1gk-pcda-a7cb
Aliases: CVE-2026-23891 GHSA-fc46-r95f-hq7g |
Decidim has a cross-site scripting (XSS) in user name ### Impact A stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. ### Patches N/A ### Workarounds Not available ### References OWASP ASVS v4.0.3-5.1.3 ### Credits This issue was discovered in a security audit organized by [octree](https://octree.ch/) and made by [Secu Labs](https://seculabs.ch/) against Decidim financed by the city of Lausanne (Switzerland). |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-m38p-yqcn-nka4
Aliases: CVE-2026-40869 GHSA-w5xj-99cg-rccm |
Decidim amendments can be accepted or rejected by anyone ### Impact The vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources. The only check done when accepting or rejecting amendments is whether the amendment reactions are enabled for the component: - https://github.com/decidim/decidim/blob/9d6c3d2efe5a83bb02e095824ff5998d96a75eb7/decidim-core/app/permissions/decidim/permissions.rb#L107 The permission checks have been changed at 1b99136 which was introduced in released version 0.19.0. I have not investigated whether prior versions are also affected. ### Patches Not available ### Workarounds Disable amendment reactions for the amendable component (e.g. proposals). |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T08:02:16.561485+00:00 | GitLab Importer | Affected by | VCID-m38p-yqcn-nka4 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/decidim-core/CVE-2026-40869.yml | 38.6.0 |
| 2026-06-06T07:58:15.087461+00:00 | GitLab Importer | Affected by | VCID-k1gk-pcda-a7cb | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/decidim-core/CVE-2026-23891.yml | 38.6.0 |
| 2026-06-04T18:15:55.306335+00:00 | Ruby Importer | Affected by | VCID-25zg-267g-w3cn | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2025-65017.yml | 38.6.0 |