Skip to main content

Wagtail

16 CVEs product

Monthly

CVE-2026-54263 PyPI HIGH PATCH This Week

Reflected cross-site scripting in the Wagtail Django CMS admin interface lets a low-privilege editor craft a malicious URL that executes JavaScript in the browser of a higher-privilege administrator who opens it, enabling actions to be performed with the victim's credentials. All Wagtail installations before 7.0.8, 7.3.3 and 7.4.2 are affected - the flaw lives in the dynamic image URL generator view and exists even on sites that never enabled the dynamic image serve view. No public exploit identified at time of analysis, and the issue is not reachable by anonymous site visitors without a Wagtail admin account.

XSS Python Wagtail
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-54262 PyPI MEDIUM PATCH This Month

Authorization bypass in Wagtail CMS allows authenticated low-privilege users to create translations for pages beyond their permitted scope. Versions prior to 7.0.8, 7.3.3, and 7.4.2 fail to enforce page-level permission checks when a user submits a translation request, exposing content of restricted pages to anyone holding the 'Can submit translation' permission. No public exploit code or active exploitation (CISA KEV) has been identified, but the low attack complexity and network-accessible vector make this straightforward to abuse for information disclosure.

Python Information Disclosure Wagtail
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-54261 PyPI MEDIUM PATCH This Month

Missing authorization on the image preview endpoint in Wagtail CMS allows any authenticated admin-panel user to render previews of images they do not have permission to access. Affected across three maintained release branches - all Wagtail versions prior to 7.0.8, 7.3.3, and 7.4.2. No public exploit has been identified at time of analysis, and exploitation is strictly bounded to users holding valid Wagtail admin credentials, making this a privileged-insider or compromised-account risk rather than an external threat.

Python Information Disclosure Wagtail
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-54259 PyPI MEDIUM PATCH This Month

Wagtail's Documents and Images chooser endpoint leaks asset metadata - including filenames, display names, and URLs - to authenticated admin users who have been explicitly denied collection-level choose permissions. Versions prior to 7.0.8, 7.3.3, and 7.4.2 are affected across the 7.0, 7.3, and 7.4 release branches. An attacker with a valid Wagtail admin account can enumerate restricted media assets across collections beyond their authorized scope, bypassing the collection permission model. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Python Information Disclosure Wagtail
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-54260 PyPI LOW PATCH Monitor

Wagtail CMS versions prior to 7.0.8, 7.3.3, and 7.4.2 expose a resource exhaustion vector where authenticated admin users can submit purposefully crafted image filter specification strings that trigger disproportionately expensive rendition processing on the server, resulting in service degradation for all site users. The vulnerability is constrained to admin-level authenticated users and cannot be triggered by ordinary unauthenticated site visitors, materially limiting real-world attack surface. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the low-priority tier for most deployments.

Python Denial Of Service Wagtail
NVD GitHub
CVSS 3.1
2.7
EPSS
0.2%
CVE-2026-28223 PyPI MEDIUM PATCH This Month

Stored XSS in Wagtail's simple_translation module allows authenticated admin users to inject malicious JavaScript through specially-crafted page titles that executes when other admins perform translation actions, potentially compromising their credentials. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, and requires admin-level access to exploit, limiting exposure to internal threats. Patches are available for all affected versions.

Django XSS Wagtail
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-28222 PyPI MEDIUM PATCH This Month

Stored XSS in Wagtail's TableBlock allows authenticated users with page editing permissions to inject malicious class attributes that execute arbitrary JavaScript when pages are viewed by other users. An attacker could exploit this to perform administrative actions or steal credentials from higher-privileged users viewing the compromised content. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, with patches now available.

Django XSS Wagtail
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-39317 PyPI MEDIUM PATCH GHSA This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Python Denial Of Service Wagtail
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2023-45809 PyPI LOW PATCH Monitor

Wagtail is an open source content management system built on Django. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Python Wagtail
NVD GitHub
CVSS 3.1
2.7
EPSS
0.5%
CVE-2023-28837 PyPI MEDIUM PATCH This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Python Denial Of Service Wagtail
NVD GitHub
CVSS 3.1
4.9
EPSS
1.1%
CVE-2023-28836 PyPI MEDIUM PATCH This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Python XSS Wagtail
NVD GitHub
CVSS 3.1
5.4
EPSS
0.8%
CVE-2021-32681 PyPI MEDIUM POC PATCH This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python XSS Wagtail
NVD GitHub
CVSS 3.1
5.4
EPSS
1.1%
CVE-2021-29434 PyPI MEDIUM PATCH This Month

Wagtail is a Django content management system. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python XSS RCE Wagtail
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
CVE-2020-15118 PyPI MEDIUM PATCH This Month

In Wagtail before versions 2.7.4 and 2.9.3, when a form page type is made available to Wagtail editors through the `wagtail.contrib.forms` app, and the page template is built using Django's standard. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Privilege Escalation Python Wagtail
NVD GitHub
CVSS 3.1
5.4
EPSS
1.1%
CVE-2020-11037 PyPI MEDIUM PATCH This Month

In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. Rated medium severity (CVSS 4.7). No vendor patch available.

Google Python Information Disclosure Wagtail
NVD GitHub
CVSS 3.1
4.7
EPSS
0.2%
CVE-2020-11001 PyPI MEDIUM POC PATCH This Month

In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Wagtail
NVD GitHub
CVSS 3.1
6.8
EPSS
1.3%
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Reflected cross-site scripting in the Wagtail Django CMS admin interface lets a low-privilege editor craft a malicious URL that executes JavaScript in the browser of a higher-privilege administrator who opens it, enabling actions to be performed with the victim's credentials. All Wagtail installations before 7.0.8, 7.3.3 and 7.4.2 are affected - the flaw lives in the dynamic image URL generator view and exists even on sites that never enabled the dynamic image serve view. No public exploit identified at time of analysis, and the issue is not reachable by anonymous site visitors without a Wagtail admin account.

XSS Python Wagtail
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Authorization bypass in Wagtail CMS allows authenticated low-privilege users to create translations for pages beyond their permitted scope. Versions prior to 7.0.8, 7.3.3, and 7.4.2 fail to enforce page-level permission checks when a user submits a translation request, exposing content of restricted pages to anyone holding the 'Can submit translation' permission. No public exploit code or active exploitation (CISA KEV) has been identified, but the low attack complexity and network-accessible vector make this straightforward to abuse for information disclosure.

Python Information Disclosure Wagtail
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Missing authorization on the image preview endpoint in Wagtail CMS allows any authenticated admin-panel user to render previews of images they do not have permission to access. Affected across three maintained release branches - all Wagtail versions prior to 7.0.8, 7.3.3, and 7.4.2. No public exploit has been identified at time of analysis, and exploitation is strictly bounded to users holding valid Wagtail admin credentials, making this a privileged-insider or compromised-account risk rather than an external threat.

Python Information Disclosure Wagtail
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Wagtail's Documents and Images chooser endpoint leaks asset metadata - including filenames, display names, and URLs - to authenticated admin users who have been explicitly denied collection-level choose permissions. Versions prior to 7.0.8, 7.3.3, and 7.4.2 are affected across the 7.0, 7.3, and 7.4 release branches. An attacker with a valid Wagtail admin account can enumerate restricted media assets across collections beyond their authorized scope, bypassing the collection permission model. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Python Information Disclosure Wagtail
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Wagtail CMS versions prior to 7.0.8, 7.3.3, and 7.4.2 expose a resource exhaustion vector where authenticated admin users can submit purposefully crafted image filter specification strings that trigger disproportionately expensive rendition processing on the server, resulting in service degradation for all site users. The vulnerability is constrained to admin-level authenticated users and cannot be triggered by ordinary unauthenticated site visitors, materially limiting real-world attack surface. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the low-priority tier for most deployments.

Python Denial Of Service Wagtail
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in Wagtail's simple_translation module allows authenticated admin users to inject malicious JavaScript through specially-crafted page titles that executes when other admins perform translation actions, potentially compromising their credentials. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, and requires admin-level access to exploit, limiting exposure to internal threats. Patches are available for all affected versions.

Django XSS Wagtail
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in Wagtail's TableBlock allows authenticated users with page editing permissions to inject malicious class attributes that execute arbitrary JavaScript when pages are viewed by other users. An attacker could exploit this to perform administrative actions or steal credentials from higher-privileged users viewing the compromised content. The vulnerability affects Wagtail versions prior to 6.3.8, 7.0.6, 7.2.3, and 7.3.1, with patches now available.

Django XSS Wagtail
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Python Denial Of Service Wagtail
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Wagtail is an open source content management system built on Django. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Python Wagtail
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Python Denial Of Service Wagtail
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Python XSS Wagtail
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python XSS Wagtail
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

Wagtail is a Django content management system. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python XSS RCE +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

In Wagtail before versions 2.7.4 and 2.9.3, when a form page type is made available to Wagtail editors through the `wagtail.contrib.forms` app, and the page template is built using Django's standard. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Privilege Escalation Python +1
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. Rated medium severity (CVSS 4.7). No vendor patch available.

Google Python Information Disclosure +1
NVD GitHub
EPSS 1% CVSS 6.8
MEDIUM POC PATCH This Month

In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Wagtail
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy