Tag
CVE-2026-40870 allows unauthenticated access to commentable resources in Decidim platforms prior to versions 0.30.5 and 0.31.1 due to missing permission checks on the publicly accessible `/api` endpoint, potentially exposing sensitive data.