What is the CVSS score of CVE-2026-44201?

CVE-2026-44201 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-44201?

Yes, a patch is available for CVE-2026-44201. Update the affected software to the latest version immediately.

CVE-2026-44201

MEDIUM

Improper Handling of Insufficient Permissions or Privileges (CWE-280)

2026-05-08 https://github.com/wagtail/wagtail

GHSA-p5gm-92h4-6pv6

Information Disclosure

5.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

CVE Published

May 08, 2026 - 20:21 nvd

MEDIUM 5.3

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 pypi packages depend on wagtail (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 7.1.

DescriptionNVD

Impact

The Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections.

Patches

Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates this fix.

Workarounds

Site owners using Wagtail's API can avoid the vulnerability by adding authentication to the Documents and Images APIs.

Acknowledgements

Wagtail thanks independent security researcher Sanjok Karki @thesanjok for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Visit Wagtail's support channels
Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view the security policy for more information).

Analysis

The Documents and Images [API](https://docs.wagtail.org/en/stable/advanced_topics/api/index.html) incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44201 vulnerability details – vuln.today

Back

CVE-2026-44201

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

Impact

Patches

Workarounds

Acknowledgements

For more information

Analysis

Full analysis requires sign-in

Share

External POC / Exploit Code