Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Wagtail CMS 6.4.1 Cross Site Scripting

🗓️ 31 Mar 2026 00:00:00Reported by Ibrahim Fatih Inceli, Berat AksitType 
packetstorm
 packetstorm🔗 packetstorm.news👁 96 Views

Wagtail 6.4.1 stores cross site scripting via crafted PDF uploads that execute JavaScript in the Documents view.

Related
Code
Title: Wagtail CMS 6.4.1 Stored Cross-Site Scripting (XSS)
    
    Date: 2026-03-31
    Author: Ibrahim Fatih Inceli, Berat Aksit
    Vendor Homepage: https://wagtail.org/
    Software Link: https://github.com/wagtail/wagtail
    Version: 6.4.1
    CVE: CVE-2026-45388
    PoC: https://github.com/echoBRT/Wagtail-CMS-XSS
    
    Description:
    Wagtail CMS 6.4.1 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability
    in the document upload functionality. An attacker can embed a malicious payload inside
    a PDF file. When the uploaded document is accessed via the CMS interface, the payload
    may execute in the context of the user.
    
    Technical Details:
    The vulnerability occurs due to insufficient validation and sanitization of uploaded
    document content. Specifically, crafted PDF files containing embedded JavaScript can
    be uploaded and later executed when accessed through the CMS document management interface.
    
    Steps to Reproduce:
    1. Login to Wagtail CMS as a user with document upload permissions.
    2. Upload a crafted PDF file containing JavaScript payload.
    3. Navigate to the Documents section.
    4. Click on the uploaded document.
    5. Observe that the payload executes.
    
    Impact:
    This vulnerability may allow attackers to execute arbitrary JavaScript in the context
    of authenticated users, potentially leading to session hijacking or further compromise.
    
    Vendor Response:
    This issue is disputed by the vendor. According to the vendor, the behavior depends on
    the file serving configuration. When files are served outside of Wagtail (default setup),
    security headers and execution controls depend on the hosting environment (e.g., AWS S3).
    
    Solution:
    Properly configure file serving mechanisms and ensure appropriate security headers
    (e.g., Content-Type, Content-Disposition, CSP) are enforced when serving uploaded files.
    
    Credits:
    Discovered by Ibrahim Fatih Inceli and Berat Aksit
    
    Best Regards.
    
    [cid:479d3baf-bf4d-47bf-81e3-0024f280dd51]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Mar 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
Wagtailcross site scriptingpdf uploadsjavascript payloaddocuments interfaceauthenticated usersvulnerability
96