THREAT OPS › Threat News › [GHSA] GHSA-jvqq-cvh4-xm37 (medium) — Decidim: Admin user search allows SQL injection through similarity-based sorting
[GHSA] GHSA-jvqq-cvh4-xm37 (medium) — Decidim: Admin user search allows SQL injection through similarity-based sorting
GHSA-jvqq-cvh4-xm37 Severity: medium CVE: CVE-2026-45376
Decidim: Admin user search allows SQL injection through similarity-based sorting
The admin organization user search uses the untrusted term value inside raw SQL ORDER BY expressions. Because the value is interpolated before Rails sanitization is applied, a crafted search string is executed by PostgreSQL as part of the sort expression.
###
Indicators of compromise
- CVE-2026-45376cve
- https://decidim.orgurl
- https://www.radicallyopensecurity.com/url
- https://ngi.eu/url
Original source: https://github.com/advisories/GHSA-jvqq-cvh4-xm37