Listen to this Post
How CVE-2026-45572 Works
This Stored Cross-Site Scripting (XSS) vulnerability resides in the `decidim-core` Ruby gem, which is the foundation of the Decidim participatory democracy framework. The flaw specifically affects the “HTML block” content type used on landing pages.
The root cause is that the application fails to properly sanitize user-supplied input before rendering it in a visitor’s browser. A privileged admin user, who has the necessary permissions to edit a landing page, can inject arbitrary HTML or JavaScript code into an HTML block. When this block is saved, the application stores the malicious payload in the database.
The vulnerability is triggered when the landing page is rendered for public visitors. The application uses the `Decidim::ContentBlocks::HtmlCellhtml_content` method to display the content of the HTML block. This method employs the `html_safe` flag, which marks the content as safe to render directly in the browser without any further output escaping or sanitization.
Consequently, any JavaScript code injected by the admin is executed in the browsers of all users who visit that specific landing page. While the need for administrative privileges lowers the overall severity, this still represents a significant risk as it provides a trusted and persistent mechanism for executing arbitrary code on the platform. The vulnerability is fixed in patched versions 0.30.9, 0.31.5, and 0.32.0.
DailyCVE Form
Platform: Decidim
Version: <0.30.9, 0.31.0.rc1-0.31.4, 0.32.0.rc1
Vulnerability: Stored XSS
Severity: Moderate (4.8)
date: 2026-07-13
Prediction: 2026-07-13
What Undercode Say
The vulnerability arises from trusting admin input without sanitization in HtmlCellhtml_content.
Analytics
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High (Admin)
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
- Base Score: 4.8 (Medium)
Code & Commands
The vulnerable code path can be identified in the `decidim-core` gem.
Vulnerable code in Decidim::ContentBlocks::HtmlCell def html_content The content is marked as html_safe and rendered without sanitization model.attributes["settings"].try(:[], "html").try(:html_safe) || "" end
To check if your instance is vulnerable, you can use the following command to find the version of the `decidim-core` gem:
bundle list | grep decidim-core
Or, for a more detailed version check:
bundle show decidim-core
How Exploit
- An attacker with administrative privileges navigates to the admin dashboard.
- The attacker selects a landing page that they are permitted to edit.
- The attacker adds or modifies an “HTML block” on that page.
- In the block’s content field, the attacker injects a malicious JavaScript payload, for example:
<script>alert('XSS Vulnerability!');</script> - The attacker saves the changes. The payload is stored in the database without sanitization.
- When any non-admin user visits the affected public landing page, the `HtmlCellhtml_content` method renders the stored content using
html_safe. - The visitor’s browser executes the injected script, leading to a Stored XSS attack.
Protection
The primary protection is to apply the official patches released by the Decidim project.
– Upgrade: Immediately upgrade the `decidim-core` gem to a patched version:
– `0.30.9` or later for the 0.30.x series
– `0.31.5` or later for the 0.31.x series
– `0.32.0` or later for the 0.32.x series
bundle update decidim-core
– Workaround: If an immediate upgrade is not possible, strictly limit administrative permissions. Do not grant landing-page editing rights to non-trustful users. Only provide these permissions to highly trusted and vetted administrators.
Impact
- Successful exploitation allows a malicious administrator to persistently execute arbitrary JavaScript in the browsers of all visitors to the compromised landing page.
- Potential consequences include:
- Stealing session cookies or other sensitive user information.
- Performing unauthorized actions on behalf of the victim user.
- Defacing the public-facing website.
- Redirecting users to malicious external sites.
- Risk Level: Although the vulnerability requires administrative access, it creates a powerful and persistent browser-execution primitive within a trusted area of the application. This undermines the security of all users who interact with the affected page.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

