PyPI package
wagtail
pkg:pypi/wagtail
Vulnerabilities (20)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44201 | Med | 5.3 | < 7.0.7 | 7.0.7 | May 11, 2026 | Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private coll | |
| CVE-2026-44200 | Med | 6.5 | < 7.0.7 | 7.0.7 | May 11, 2026 | Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentiall | |
| CVE-2026-44199 | Med | 6.5 | < 7.0.7 | 7.0.7 | May 11, 2026 | Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do | |
| CVE-2026-44198 | Med | 4.3 | < 7.0.7 | 7.0.7 | May 11, 2026 | Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability | |
| CVE-2026-44197 | Med | 6.5 | < 7.0.7 | 7.0.7 | May 11, 2026 | Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potent | |
| CVE-2026-28222 | — | < 6.3.8 | 6.3.8 | Mar 5, 2026 | Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containi | ||
| CVE-2026-28223 | — | < 6.3.8 | 6.3.8 | Mar 5, 2026 | Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the | ||
| CVE-2026-25517 | — | < 6.3.6 | 6.3.6 | Feb 4, 2026 | Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submi | ||
| CVE-2024-39317 | — | >= 6.0, < 6.0.6 | 6.0.6 | Jul 11, 2024 | Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` | ||
| CVE-2024-35228 | Med | 5.5 | >= 6.0.0, < 6.0.5 | 6.0.5 | May 30, 2024 | Wagtail is an open source content management system built on Django. Due to an improperly applied permission check in the `wagtail.contrib.settings` module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and updat | |
| CVE-2024-32882 | Low | 2.7 | >= 6.0.0, < 6.0.3 | 6.0.3 | May 2, 2024 | Wagtail is an open source content management system built on Django. In affected versions if a model has been made available for editing through the `wagtail.contrib.settings` module or `ModelViewSet`, and the `permission` argument on `FieldPanel` has been used to further restric | |
| CVE-2023-45809 | — | < 4.1.9 | 4.1.9 | Oct 19, 2023 | Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from | ||
| CVE-2023-28837 | — | >= 4.2, < 4.2.2 | 4.2.2 | Apr 3, 2023 | Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional | ||
| CVE-2023-28836 | — | >= 1.5, < 4.1.4 | 4.1.4 | Apr 3, 2023 | Wagtail is an open source content management system built on Django. Starting in version 1.5 and prior to versions 4.1.4 and 4.2.2, a stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface. A user with a limited-permission ed | ||
| CVE-2022-21683 | — | >= 2.13, < 2.15.2 | 2.15.2 | Jan 18, 2022 | Wagtail is a Django based content management system focused on flexibility and user experience. When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads. | ||
| CVE-2021-32681 | — | < 2.11.8 | 2.11.8 | Jun 17, 2021 | Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text St | ||
| CVE-2021-29434 | — | < 2.11.7 | 2.11.7 | Apr 19, 2021 | Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin | ||
| CVE-2020-15118 | — | >= 2.8rc1, < 2.9.3 | 2.9.3 | Jul 20, 2020 | In Wagtail before versions 2.7.4 and 2.9.3, when a form page type is made available to Wagtail editors through the `wagtail.contrib.forms` app, and the page template is built using Django's standard form rendering helpers such as form.as_p, any HTML tags used within a form field' | ||
| CVE-2020-11037 | — | < 2.7.3 | 2.7.3 | Apr 30, 2020 | In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an | ||
| CVE-2020-11001 | — | >= 1.9.0, < 2.7.2 | 2.7.2 | Apr 14, 2020 | In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision his |
- affected < 7.0.7fixed 7.0.7
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private coll
- affected < 7.0.7fixed 7.0.7
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentiall
- affected < 7.0.7fixed 7.0.7
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do
- affected < 7.0.7fixed 7.0.7
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability
- affected < 7.0.7fixed 7.0.7
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potent
- CVE-2026-28222Mar 5, 2026affected < 6.3.8fixed 6.3.8
Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containi
- CVE-2026-28223Mar 5, 2026affected < 6.3.8fixed 6.3.8
Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the
- CVE-2026-25517Feb 4, 2026affected < 6.3.6fixed 6.3.6
Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submi
- CVE-2024-39317Jul 11, 2024affected >= 6.0, < 6.0.6fixed 6.0.6
Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string`
- affected >= 6.0.0, < 6.0.5fixed 6.0.5
Wagtail is an open source content management system built on Django. Due to an improperly applied permission check in the `wagtail.contrib.settings` module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and updat
- affected >= 6.0.0, < 6.0.3fixed 6.0.3
Wagtail is an open source content management system built on Django. In affected versions if a model has been made available for editing through the `wagtail.contrib.settings` module or `ModelViewSet`, and the `permission` argument on `FieldPanel` has been used to further restric
- CVE-2023-45809Oct 19, 2023affected < 4.1.9fixed 4.1.9
Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from
- CVE-2023-28837Apr 3, 2023affected >= 4.2, < 4.2.2fixed 4.2.2
Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional
- CVE-2023-28836Apr 3, 2023affected >= 1.5, < 4.1.4fixed 4.1.4
Wagtail is an open source content management system built on Django. Starting in version 1.5 and prior to versions 4.1.4 and 4.2.2, a stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface. A user with a limited-permission ed
- CVE-2022-21683Jan 18, 2022affected >= 2.13, < 2.15.2fixed 2.15.2
Wagtail is a Django based content management system focused on flexibility and user experience. When notifications for new replies in comment threads are sent, they are sent to all users who have replied or commented anywhere on the site, rather than only in the relevant threads.
- CVE-2021-32681Jun 17, 2021affected < 2.11.8fixed 2.11.8
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text St
- CVE-2021-29434Apr 19, 2021affected < 2.11.7fixed 2.11.7
Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin
- CVE-2020-15118Jul 20, 2020affected >= 2.8rc1, < 2.9.3fixed 2.9.3
In Wagtail before versions 2.7.4 and 2.9.3, when a form page type is made available to Wagtail editors through the `wagtail.contrib.forms` app, and the page template is built using Django's standard form rendering helpers such as form.as_p, any HTML tags used within a form field'
- CVE-2020-11037Apr 30, 2020affected < 2.7.3fixed 2.7.3
In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an
- CVE-2020-11001Apr 14, 2020affected >= 1.9.0, < 2.7.2fixed 2.7.2
In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision his