THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-533c-2vh9-4r86 (medium) — Decidim: HTML content blocks allow stored script execution

[GHSA] GHSA-533c-2vh9-4r86 (medium) — Decidim: HTML content blocks allow stored script execution

highgithub_advisoriesPublished 2026-07-13

GHSA-533c-2vh9-4r86 Severity: medium CVE: CVE-2026-45572

Decidim: HTML content blocks allow stored script execution

## Description

A privileged admin user who can edit an affected landing page can store arbitrary HTML/JavaScript in an `HTML block`, and the public page renders it with `html_safe` and no output escaping.

## Technical description

This issue lets any admin who can edit an af

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://github.com/advisories/GHSA-533c-2vh9-4r86