Decidim

This hub aggregates every CVE we track for Decidim, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Decidim.

• CVE-2026-40869Decidim amendments can be accepted or rejected by anyone7.5Apr 21, 2026
• CVE-2026-40870Decidim's comments API allows access to all commentable resources7.5Apr 21, 2026
• CVE-2026-23891Decidim has a Cross-site scripting (XSS) vulnerability via user name field8.7Apr 13, 2026
• CVE-2025-65017Decidim's private data exports can lead to data leaks6.5Feb 3, 2026
• CVE-2024-45594Decidim allows cross-site scripting (XSS) in the online or hybrid meeting embeds7.7Nov 13, 2024
• CVE-2024-41673Decidim has a cross-site scripting vulnerability in the version control page7.1Oct 1, 2024
• CVE-2024-39910Cross-site scripting (XSS) in the decidim admin panel with QuillJS WYSWYG editor5.4Sep 16, 2024
• CVE-2024-32034Cross-site scripting (XSS) in the decidim admin activity log6.8Sep 16, 2024
• CVE-2024-32469Decidim has cross-site scripting (XSS) in the pagination7.1Jul 10, 2024
• CVE-2024-27095Decidim cross-site scripting (XSS) in the admin panel5.4Jul 10, 2024
• CVE-2024-27090Decidim vulnerable to data disclosure through the embed feature5.3Jul 10, 2024
• CVE-2023-51447Decidim vulnerable to cross-site scripting (XSS) in the dynamic file uploads6.3Feb 20, 2024
• CVE-2023-48220Decidim's devise_invitable gem vulnerable to circumvention of invitation token expiry period5.7Feb 20, 2024
• CVE-2023-47635Decidim vulnerable to possible CSRF attack at questionnaire templates preview4.5Feb 20, 2024
• CVE-2023-47634Decidim has race condition in Endorsements3.1Feb 20, 2024