Lucene search
+L
TorchboxWagtail

23 matches found

CVE
CVE
โ€ขadded 2020/04/30 10:20 p.m.โ€ข122 views

CVE-2020-11037

In Wagtail, a potential timing attack exists on pages or documents protected with a shared password via the Privacy controls. The password check uses a character-by-character comparison, enabling a timing analysis to potentially reveal the password when measured locally. Affected versions are bef...

6.1CVSS5.1AI score0.0025EPSS
CVE
CVE
โ€ขadded 2020/04/14 11:5 p.m.โ€ข118 views

CVE-2020-11001

In Wagtail, CVE-2020-11001 is an XSS vulnerability in the page revision comparison view of the admin interface. The issue affects Wagtail versions prior to 2.8.1 and 2.7.2, where a limited-permission editor could craft a revision history that, when viewed by a higher-privilege user, could execute...

6.8CVSS5.9AI score0.01273EPSS
CVE
CVE
โ€ขadded 2023/10/19 6:33 p.m.โ€ข105 views

CVE-2023-45809

Vulnerability: Wagtail CMS (Django) exposes display names of user accounts via the admin bulk actions view when accessed by a limited-permission editor. Root cause: error messages disclose user display names; by tweaking URL parameters, a non-changeing editor can retrieve any userโ€™s display name....

2.7CVSS3.6AI score0.00454EPSS
CVE
CVE
โ€ขadded 2021/04/19 6:45 p.m.โ€ข95 views

CVE-2021-29434

Wagtail (a Django-based CMS) has a vulnerability in rich-text links where server-side checks do not enforce a valid protocol, allowing a malicious admin user to publish content containing javascript: URLs. Affected versions can be exploited via admin POST requests; an ordinary site visitor cannot...

6.1CVSS5.4AI score0.00626EPSS
CVE
CVE
โ€ขadded 2022/01/18 5:30 p.m.โ€ข89 views

CVE-2022-21683

Wagtail CVE-2022-21683 affects the notification logic for new replies in comment threads. The issue caused notifications to be sent to all users who have commented or replied anywhere on the site, rather than only to participants within the active thread. This could allow users without editing ac...

4.3CVSS4.2AI score0.0097EPSS
CVE
CVE
โ€ขadded 2021/06/17 4:25 p.m.โ€ข88 views

CVE-2021-32681

CVE-2021-32681 affects Wagtail (Django-based CMS). The issue is a cross-site scripting (XSS) vulnerability in the use of the {% include_block %} template tag to render plain-text StreamField blocks (CharBlock/TextBlock or derived blocks) without a specified template, where output is not HTML-esca...

5.4CVSS5.2AI score0.01109EPSS
CVE
CVE
โ€ขadded 2020/07/20 5:50 p.m.โ€ข81 views

CVE-2020-15118

CVE-2020-15118 affects Wagtail versions before 2.7.4 and 2.9.3, where HTML in form field help_text can be rendered unescaped when using Django form rendering helpers (e.g., form.as_p). This enables potential cross-site scripting via editor-controlled help text. Patches are available: Wagtail 2.7....

5.7CVSS5.4AI score0.01083EPSS
CVE
CVE
โ€ขadded 2024/07/11 3:23 p.m.โ€ข71 views

CVE-2024-39317

Wagtail (Django-based CMS) exposes a Regular Expression Denial of Service in the parse_query_string routine when handling long, space-free input strings. The issue can be exploited by any Wagtail admin user in initial installations; end users are not typically capable unless a custom search path ...

6.5CVSS5.8AI score0.0061EPSS
CVE
CVE
โ€ขadded 2023/04/03 12:0 a.m.โ€ข60 views

CVE-2023-28836

Wagtail CVE-2023-28836 describes a stored XSS in ModelAdmin views (ChooseParentView for pages; InspectView for documents). A user with limited-permission editor can craft content that, when viewed by a higher-privilege user, could act with that userโ€™s credentials. The issue affects Wagtail versio...

6.4CVSS5.8AI score0.00772EPSS
CVE
CVE
โ€ขadded 2026/03/05 6:58 p.m.โ€ข54 views

CVE-2026-28222

Wagtail CVE-2026-28222 is a stored XSS affecting TableBlock in StreamField. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, an attacker with page creation/edit permissions could craft TableBlock class attributes that render arbitrary JavaScript when viewed by higher-privilege users. This is not...

6.1CVSS5.8AI score0.00418EPSS
CVE
CVE
โ€ขadded 2023/04/03 4:41 p.m.โ€ข40 views

CVE-2023-28837

Wagtail before versions 4.1.4 and 4.2.2 contains a memory exhaustion DoS when uploading large image/document files. During upload, files are loaded into memory for further processing, and an admin user with upload permissions could crash the system by sending a large file. The entry notes that or...

4.9CVSS5AI score0.0107EPSS
CVE
CVE
โ€ขadded 2026/03/05 6:56 p.m.โ€ข34 views

CVE-2026-28223

Wagtail (Django-based CMS) contains a stored XSS in the wagtail.contrib.simple_translation module. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a user with admin access may craft a page title that, when another user runs the Translate action, executes arbitrary JavaScript in that userโ€™s cont...

6.1CVSS5.8AI score0.00459EPSS
CVE
CVE
โ€ขadded 2026/05/11 2:42 p.m.โ€ข28 views

CVE-2026-44201

CVE-2026-44201 (Wagtail) : The Documents and Images API improperly listed items in private collections, allowing a user with API access to see filenames and names of documents/images in private collections. Root cause: insufficient access restrictions in the API prior to versions 7.0.7, 7.3.2, an...

5.3CVSS5.8AI score0.00256EPSS
CVE
CVE
โ€ขadded 2026/07/01 9:8 p.m.โ€ข28 views

CVE-2026-54260

CVE-2026-54260 affects Wagtail (Django-based CMS). In versions prior to 7.0.8, 7.3.3, and 7.4.2, an authenticated admin user can trigger expensive rendition processing via crafted filter specs in the image preview, leading to potential service degradation. This is not exploitable by anonymous vis...

4.3CVSS5.6AI score0.0022EPSS
CVE
CVE
โ€ขadded 2026/05/11 2:39 p.m.โ€ข26 views

CVE-2026-44197

CVE-2026-44197 affects Wagtail (Django-based CMS). Before versions 7.0.7, 7.3.2, and 7.4, a CMS user without page-edit permission could access page revisions via the revision-compare view by guessing revision primary keys, potentially exposing sensitive information. The issue is described as impr...

6.5CVSS5.8AI score0.00204EPSS
CVE
CVE
โ€ขadded 2026/05/11 2:40 p.m.โ€ข25 views

CVE-2026-44198

CVE-2026-44198 (Wagtail) : An improper permission handling flaw allowed a CMS user without edit rights to access the page history report, potentially exposing sensitive information. Affected: Wagtail prior to 7.0.7, 7.3.2, and 7.4. Remediation: patch releases 7.0.7, 7.3.2, and 7.4 include the fix...

4.3CVSS5.8AI score0.00162EPSS
CVE
CVE
โ€ขadded 2026/05/11 2:41 p.m.โ€ข25 views

CVE-2026-44200

CVE-2026-44200 Overview (Wagtail) : Wagtail (Django-based CMS) had a permission flaw where a user with limited access to pages could copy a page they cannot access to a location they can, then view its contents and potentially publish it. The root cause was that source-page permissions were not e...

6.5CVSS5.8AI score0.00201EPSS
CVE
CVE
โ€ขadded 2026/07/01 9:12 p.m.โ€ข25 views

CVE-2026-54263

Wagtail (Django-based CMS) has a reflected XSS in the dynamic image URL generator view within the admin. A limited-permission editor could craft a URL that, when seen by a higher-privilege user, could act with that userโ€™s credentials. Affected versions: < 7.0.8, < 7.3.3,

7.3CVSS5.5AI score0.00203EPSS
CVE
CVE
โ€ขadded 2026/05/11 2:40 p.m.โ€ข23 views

CVE-2026-44199

Summary (CVE-2026-44199) Wagtail (Django-based CMS) before versions 7.0.7, 7.3.2, and 7.4 contains a permission bug in form submissions. A CMS user with limited access to form pages can delete submissions on pages they should not access by crafting a delete submission request for pages they can a...

6.5CVSS5.8AI score0.00174EPSS
CVE
CVE
โ€ขadded 2026/07/01 9:10 p.m.โ€ข22 views

CVE-2026-54261

Wagtail (Django-based CMS) has a permission-check flaw in the image preview endpoint. In versions prior to 7.0.8, 7.3.3, and 7.4.2, a user with admin access could preview any image due to a missing permission check; this does not expose the image data itself to ordinary site visitors. The issue h...

6.5CVSS5.6AI score0.00201EPSS
CVE
CVE
โ€ขadded 2026/07/01 9:9 p.m.โ€ข20 views

CVE-2026-54259

Wagtail (Django-based CMS) has a vulnerability in older branches where the Documents and Images chooser endpoint could show items to users who lack choose permission. Affected versions: < 7.0.8, < 7.3.3, and

4.3CVSS5.6AI score0.00162EPSS
CVE
CVE
โ€ขadded 2026/07/01 9:11 p.m.โ€ข20 views

CVE-2026-54262

Wagtailโ€™s CVE-2026-54262 affects the translation feature. In versions before 7.0.8, 7.3.3, and 7.4.2, a user with the can submit translation permission could create translations for any page, including pages they lack access to. The root cause is described as a permission/authorization issue rela...

4.3CVSS5.8AI score0.00162EPSS
CVE
CVE
โ€ขadded 2026/02/04 8:48 p.m.โ€ข19 views

CVE-2026-25517

Wagtail CVE-2026-25517 involves missing permission checks on admin preview endpoints. Before versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, an admin user who knows a modelโ€™s fields can craft a form submission to render previews of pages, snippets, or site settings with arbitrary data. The preview ...

5.1CVSS5.3AI score0.00343EPSS