Skip to main content

Django CVE-2026-25517

LOW
Missing Authorization (CWE-862)
2026-02-04 security-advisories@github.com GHSA-4qvv-g3vr-m348
2.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 20, 2026 - 21:20 nvd
Patch available
CVE Published
Feb 04, 2026 - 21:16 nvd
LOW 2.7

DescriptionGitHub Advisory

Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3.

AnalysisAI

Wagtail is an open source content management system built on Django. [CVSS 2.7 LOW]

Technical ContextAI

Classified as CWE-862 (Missing Authorization). Affects Wagtail. Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but de

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

More in Django

View all
CVE-2017-12794 MEDIUM POC
6.1 Sep 07

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for

CVE-2022-34265 CRITICAL POC
9.8 Jul 04

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. Rated critical severity (CVSS 9.8), this vulne

CVE-2021-35042 CRITICAL POC
9.8 Jul 02

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input

CVE-2019-19844 CRITICAL POC
9.8 Dec 18

Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. Rated critical severity (CVSS 9.8

CVE-2020-9402 HIGH POC
8.8 Mar 05

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a

CVE-2016-6186 MEDIUM POC
6.1 Aug 05

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/j

CVE-2025-57833 HIGH POC
7.1 Sep 03

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. Rated high severity (CVSS

CVE-2015-5143 HIGH
7.8 Jul 14

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows rem

CVE-2015-0221 MEDIUM POC
5.0 Jan 16

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an e

CVE-2014-0474 CRITICAL
10.0 Apr 23

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.

CVE-2026-1207 MEDIUM POC
5.4 Feb 03

SQL injection in Django's PostGIS RasterField lookups allows authenticated attackers to execute arbitrary SQL commands t

CVE-2016-9013 CRITICAL
9.8 Dec 09

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary datab

Share

CVE-2026-25517 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy