THREAT OPS › Threat News › [GHSA] GHSA-533c-2vh9-4r86 (medium) — Decidim: HTML content blocks allow stored script execution
[GHSA] GHSA-533c-2vh9-4r86 (medium) — Decidim: HTML content blocks allow stored script execution
GHSA-533c-2vh9-4r86 Severity: medium CVE: CVE-2026-45572
Decidim: HTML content blocks allow stored script execution
## Description
A privileged admin user who can edit an affected landing page can store arbitrary HTML/JavaScript in an `HTML block`, and the public page renders it with `html_safe` and no output escaping.
## Technical description
This issue lets any admin who can edit an af
MITRE ATT&CK techniques
- JavaScriptT1059.007
Indicators of compromise
- CVE-2026-45572cve
- https://decidim.orgurl
- https://www.radicallyopensecurity.com/url
- https://ngi.eu/url
Original source: https://github.com/advisories/GHSA-533c-2vh9-4r86