diff --git a/gems/decidim-core/CVE-2026-23891.yml b/gems/decidim-core/CVE-2026-23891.yml
new file mode 100644
index 0000000000..ea0392327b
--- /dev/null
+++ b/gems/decidim-core/CVE-2026-23891.yml
@@ -0,0 +1,42 @@
+---
+gem: decidim-core
+cve: 2026-23891
+ghsa: fc46-r95f-hq7g
+url: https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g
+title: Decidim has a cross-site scripting (XSS) in user name
+date: 2026-04-13
+description: |
+  ### Impact
+
+  A stored code execution vulnerability in the user name field allows
+  a low-privileged attacker to execute arbitrary code in the context
+  of any user who passively visits a comment page, resulting in high
+  confidentiality and integrity impact across security boundaries.
+
+  ### Patches
+
+  N/A
+
+  ### Workarounds
+
+  Not available
+
+  ### References
+
+  OWASP ASVS v4.0.3-5.1.3
+
+  ### Credits
+
+  This issue was discovered in a security audit organized by
+  [octree](https://octree.ch/) and made by
+  [Secu Labs](https://seculabs.ch/) against Decidim financed
+  by the city of Lausanne (Switzerland).
+patched_versions:
+  - "~> 0.30.5"
+  - ">= 0.31.1"
+related:
+  url:
+    - https://github.com/decidim/decidim/releases/tag/v0.31.1
+    - https://github.com/decidim/decidim/releases/tag/v0.30.5
+    - https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g
+    - https://github.com/advisories/GHSA-fc46-r95f-hq7g