Medium severity5.3GHSA Advisory· Published May 11, 2026· Updated May 12, 2026

CVE-2026-44201

Description

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Affected products

Wagtail/WagtailGHSA
Range: >= 7.1, < 7.3.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-p5gm-92h4-6pv6ghsaADVISORY
github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6nvdVendor Advisory
nvd.nist.gov/vuln/detail/CVE-2026-44201ghsa

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000