{"url":"http://public2.vulnerablecode.io/api/packages/64837?format=json","purl":"pkg:gem/decidim@0.26.7","type":"gem","namespace":"","name":"decidim","version":"0.26.7","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"0.26.8","latest_non_vulnerable_version":"0.30.4","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18030?format=json","vulnerability_id":"VCID-duuc-4122-tfha","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nDecidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The processes filter feature is susceptible to Cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in version 0.27.3 and 0.26.7.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34089","reference_id":"","reference_type":"","scores":[{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34759","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-34089"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.26.6","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/decidim/decidim/releases/tag/v0.26.6"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.26.7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/decidim/decidim/releases/tag/v0.26.7"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.27.3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/decidim/decidim/releases/tag/v0.27.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34089","reference_id":"CVE-2023-34089","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34089"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2023-34089.yml","reference_id":"CVE-2023-34089.YML","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2023-34089.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-34089.yml","reference_id":"CVE-2023-34089.YML","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-34089.yml"},{"reference_url":"https://github.com/advisories/GHSA-5652-92r9-3fx9","reference_id":"GHSA-5652-92r9-3fx9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5652-92r9-3fx9"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9","reference_id":"GHSA-5652-92r9-3fx9","reference_type":"","scores":[],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-5652-92r9-3fx9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64837?format=json","purl":"pkg:gem/decidim@0.26.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.26.7"},{"url":"http://public2.vulnerablecode.io/api/packages/64832?format=json","purl":"pkg:gem/decidim@0.27.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.3"}],"aliases":["CVE-2023-34089","GHSA-5652-92r9-3fx9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-duuc-4122-tfha"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18031?format=json","vulnerability_id":"VCID-ydvj-rmfn-8uaz","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nDecidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. The external link feature is susceptible to cross-site scripting. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to make other users endorse or support proposals they have no intention of supporting or endorsing. The problem was patched in versions 0.27.3 and 0.26.7.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32693","reference_id":"","reference_type":"","scores":[{"value":"0.00227","scoring_system":"epss","scoring_elements":"0.45563","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32693"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.26.7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/decidim/decidim/releases/tag/v0.26.7"},{"reference_url":"https://github.com/decidim/decidim/releases/tag/v0.27.3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/decidim/decidim/releases/tag/v0.27.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32693","reference_id":"CVE-2023-32693","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32693"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2023-32693.yml","reference_id":"CVE-2023-32693.YML","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim-core/CVE-2023-32693.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-32693.yml","reference_id":"CVE-2023-32693.YML","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/decidim/CVE-2023-32693.yml"},{"reference_url":"https://github.com/advisories/GHSA-469h-mqg8-535r","reference_id":"GHSA-469h-mqg8-535r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-469h-mqg8-535r"},{"reference_url":"https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r","reference_id":"GHSA-469h-mqg8-535r","reference_type":"","scores":[],"url":"https://github.com/decidim/decidim/security/advisories/GHSA-469h-mqg8-535r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64837?format=json","purl":"pkg:gem/decidim@0.26.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.26.7"},{"url":"http://public2.vulnerablecode.io/api/packages/64832?format=json","purl":"pkg:gem/decidim@0.27.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.27.3"}],"aliases":["CVE-2023-32693","GHSA-469h-mqg8-535r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ydvj-rmfn-8uaz"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/decidim@0.26.7"}