CVE-2026-45573 (decidim-core): Decidim - Push subscriptions can be abused for server-side requests
Originally appeared on RubySec.## Description The push-subscription endpoint stores an attacker-controlled delivery URL, and the notification send path becomes an outbound-request...