CVE-2026-44197
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 1 pypi packages depend on wagtail (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 7.1.
DescriptionGitHub Advisory
Impact
A CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information.
Patches
Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.
Workarounds
No workaround is available.
Acknowledgements
Many thanks to Seoyoung Kang @seoyoung-kang from AhnLab and an independent security researcher for reporting this issue.
For more information
If there are any questions or comments about this advisory:
- Visit Wagtail's support channels
- Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the security policy for more information).
Analysis
Impact
A CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information.
Patches
Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.
Workarounds
No workaround is available.
Acknowledgements
Many thanks to Seoyoung Kang @seoyoung-kang from AhnLab and an independent security researcher for reporting this issue.
For more information
If there are any questions or comments about this advisory:
- Visit Wagtail's support channels
- Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the security policy for more information).
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-c6wj-9vcj-75pj