23 matches found
CVE-2020-11037
In Wagtail, a potential timing attack exists on pages or documents protected with a shared password via the Privacy controls. The password check uses a character-by-character comparison, enabling a timing analysis to potentially reveal the password when measured locally. Affected versions are bef...
CVE-2020-11001
In Wagtail, CVE-2020-11001 is an XSS vulnerability in the page revision comparison view of the admin interface. The issue affects Wagtail versions prior to 2.8.1 and 2.7.2, where a limited-permission editor could craft a revision history that, when viewed by a higher-privilege user, could execute...
CVE-2023-45809
Vulnerability: Wagtail CMS (Django) exposes display names of user accounts via the admin bulk actions view when accessed by a limited-permission editor. Root cause: error messages disclose user display names; by tweaking URL parameters, a non-changeing editor can retrieve any userโs display name....
CVE-2021-29434
Wagtail (a Django-based CMS) has a vulnerability in rich-text links where server-side checks do not enforce a valid protocol, allowing a malicious admin user to publish content containing javascript: URLs. Affected versions can be exploited via admin POST requests; an ordinary site visitor cannot...
CVE-2022-21683
Wagtail CVE-2022-21683 affects the notification logic for new replies in comment threads. The issue caused notifications to be sent to all users who have commented or replied anywhere on the site, rather than only to participants within the active thread. This could allow users without editing ac...
CVE-2021-32681
CVE-2021-32681 affects Wagtail (Django-based CMS). The issue is a cross-site scripting (XSS) vulnerability in the use of the {% include_block %} template tag to render plain-text StreamField blocks (CharBlock/TextBlock or derived blocks) without a specified template, where output is not HTML-esca...
CVE-2020-15118
CVE-2020-15118 affects Wagtail versions before 2.7.4 and 2.9.3, where HTML in form field help_text can be rendered unescaped when using Django form rendering helpers (e.g., form.as_p). This enables potential cross-site scripting via editor-controlled help text. Patches are available: Wagtail 2.7....
CVE-2024-39317
Wagtail (Django-based CMS) exposes a Regular Expression Denial of Service in the parse_query_string routine when handling long, space-free input strings. The issue can be exploited by any Wagtail admin user in initial installations; end users are not typically capable unless a custom search path ...
CVE-2023-28836
Wagtail CVE-2023-28836 describes a stored XSS in ModelAdmin views (ChooseParentView for pages; InspectView for documents). A user with limited-permission editor can craft content that, when viewed by a higher-privilege user, could act with that userโs credentials. The issue affects Wagtail versio...
CVE-2026-28222
Wagtail CVE-2026-28222 is a stored XSS affecting TableBlock in StreamField. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, an attacker with page creation/edit permissions could craft TableBlock class attributes that render arbitrary JavaScript when viewed by higher-privilege users. This is not...
CVE-2023-28837
Wagtail before versions 4.1.4 and 4.2.2 contains a memory exhaustion DoS when uploading large image/document files. During upload, files are loaded into memory for further processing, and an admin user with upload permissions could crash the system by sending a large file. The entry notes that or...
CVE-2026-28223
Wagtail (Django-based CMS) contains a stored XSS in the wagtail.contrib.simple_translation module. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a user with admin access may craft a page title that, when another user runs the Translate action, executes arbitrary JavaScript in that userโs cont...
CVE-2026-44201
CVE-2026-44201 (Wagtail) : The Documents and Images API improperly listed items in private collections, allowing a user with API access to see filenames and names of documents/images in private collections. Root cause: insufficient access restrictions in the API prior to versions 7.0.7, 7.3.2, an...
CVE-2026-54260
CVE-2026-54260 affects Wagtail (Django-based CMS). In versions prior to 7.0.8, 7.3.3, and 7.4.2, an authenticated admin user can trigger expensive rendition processing via crafted filter specs in the image preview, leading to potential service degradation. This is not exploitable by anonymous vis...
CVE-2026-44197
CVE-2026-44197 affects Wagtail (Django-based CMS). Before versions 7.0.7, 7.3.2, and 7.4, a CMS user without page-edit permission could access page revisions via the revision-compare view by guessing revision primary keys, potentially exposing sensitive information. The issue is described as impr...
CVE-2026-44198
CVE-2026-44198 (Wagtail) : An improper permission handling flaw allowed a CMS user without edit rights to access the page history report, potentially exposing sensitive information. Affected: Wagtail prior to 7.0.7, 7.3.2, and 7.4. Remediation: patch releases 7.0.7, 7.3.2, and 7.4 include the fix...
CVE-2026-44200
CVE-2026-44200 Overview (Wagtail) : Wagtail (Django-based CMS) had a permission flaw where a user with limited access to pages could copy a page they cannot access to a location they can, then view its contents and potentially publish it. The root cause was that source-page permissions were not e...
CVE-2026-54263
Wagtail (Django-based CMS) has a reflected XSS in the dynamic image URL generator view within the admin. A limited-permission editor could craft a URL that, when seen by a higher-privilege user, could act with that userโs credentials. Affected versions: < 7.0.8, < 7.3.3,
CVE-2026-44199
Summary (CVE-2026-44199) Wagtail (Django-based CMS) before versions 7.0.7, 7.3.2, and 7.4 contains a permission bug in form submissions. A CMS user with limited access to form pages can delete submissions on pages they should not access by crafting a delete submission request for pages they can a...
CVE-2026-54261
Wagtail (Django-based CMS) has a permission-check flaw in the image preview endpoint. In versions prior to 7.0.8, 7.3.3, and 7.4.2, a user with admin access could preview any image due to a missing permission check; this does not expose the image data itself to ordinary site visitors. The issue h...
CVE-2026-54259
Wagtail (Django-based CMS) has a vulnerability in older branches where the Documents and Images chooser endpoint could show items to users who lack choose permission. Affected versions: < 7.0.8, < 7.3.3, and
CVE-2026-54262
Wagtailโs CVE-2026-54262 affects the translation feature. In versions before 7.0.8, 7.3.3, and 7.4.2, a user with the can submit translation permission could create translations for any page, including pages they lack access to. The root cause is described as a permission/authorization issue rela...
CVE-2026-25517
Wagtail CVE-2026-25517 involves missing permission checks on admin preview endpoints. Before versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, an admin user who knows a modelโs fields can craft a form submission to render previews of pages, snippets, or site settings with arbitrary data. The preview ...