Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/15398?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/15398?format=api", "purl": "pkg:pypi/wagtail@2.1.3", "type": "pypi", "namespace": "", "name": "wagtail", "version": "2.1.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "7.0.7", "latest_non_vulnerable_version": "7.3.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37322?format=api", "vulnerability_id": "VCID-22sk-jw8g-byek", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44197", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10224", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44197" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:52:47Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44197", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44197" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50302?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/50303?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44197", "GHSA-c6wj-9vcj-75pj", "PYSEC-2026-146" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-22sk-jw8g-byek" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37323?format=api", "vulnerability_id": "VCID-39ey-uzfk-8qh3", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44198", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.08988", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44198" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:53:32Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44198", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44198" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50302?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/50303?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44198", "GHSA-c4mr-889m-vgf6", "PYSEC-2026-147" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-39ey-uzfk-8qh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50557?format=api", "vulnerability_id": "VCID-8vb4-y953-b7dp", "summary": "Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes\nA stored Cross-site Scripting (XSS) vulnerability exists on rendering `TableBlock` blocks within a StreamField. A user with access to create or edit pages containing `TableBlock` StreamField blocks is able to set specially-crafted `class` attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28222", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.2955", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28222" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.8" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.6" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.3" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.3.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.3.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28222", "reference_id": "CVE-2026-28222", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28222" }, { "reference_url": "https://github.com/advisories/GHSA-p5cm-246w-84jm", "reference_id": "GHSA-p5cm-246w-84jm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p5cm-246w-84jm" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm", "reference_id": "GHSA-p5cm-246w-84jm", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50277?format=api", "purl": "pkg:pypi/wagtail@6.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-rks7-49ud-u7g2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/50289?format=api", "purl": "pkg:pypi/wagtail@7.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-rks7-49ud-u7g2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/50298?format=api", "purl": "pkg:pypi/wagtail@7.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-rks7-49ud-u7g2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/50301?format=api", "purl": "pkg:pypi/wagtail@7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-rks7-49ud-u7g2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.1" } ], "aliases": [ "CVE-2026-28222", "GHSA-p5cm-246w-84jm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8vb4-y953-b7dp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36413?format=api", "vulnerability_id": "VCID-dm6q-bfv5-9yee", "summary": "Wagtail is an open source content management system built on Django. Starting in version 1.5 and prior to versions 4.1.4 and 4.2.2, a stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled. For page, the vulnerability is in the \"Choose a parent page\" ModelAdmin view (`ChooseParentView`), available when managing pages via ModelAdmin. For documents, the vulnerability is in the ModelAdmin Inspect view (`InspectView`) when displaying document fields. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2. Site owners who are unable to upgrade to the new versions can disable or override the corresponding functionality.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28836", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01096", "scoring_system": "epss", "scoring_elements": "0.78367", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28836" }, { "reference_url": "https://docs.wagtail.org/en/stable/reference/contrib/modeladmin/chooseparentview.html#customising-chooseparentview", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/" } ], "url": "https://docs.wagtail.org/en/stable/reference/contrib/modeladmin/chooseparentview.html#customising-chooseparentview" }, { "reference_url": "https://docs.wagtail.org/en/stable/reference/contrib/modeladmin/inspectview.html#enabling-customising-inspectview", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/" } ], "url": "https://docs.wagtail.org/en/stable/reference/contrib/modeladmin/inspectview.html#enabling-customising-inspectview" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-55.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-55.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/5be2b1ed55fd7259dfdf2c82e7701dba407b8b62", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/5be2b1ed55fd7259dfdf2c82e7701dba407b8b62" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/bc84bf9815610cfbf8db3b6050c7ddcbaa4b9713", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/bc84bf9815610cfbf8db3b6050c7ddcbaa4b9713" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/eefc3381d37b476791610e5d30594fae443f33af", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/eefc3381d37b476791610e5d30594fae443f33af" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/ff806ab173a504395fdfb3139eb0a29444ab4b91", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/ff806ab173a504395fdfb3139eb0a29444ab4b91" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.4" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v4.2.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v4.2.2" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-5286-f2rf-35c2", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-5286-f2rf-35c2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28836", "reference_id": "CVE-2023-28836", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28836" }, { "reference_url": "https://github.com/advisories/GHSA-5286-f2rf-35c2", "reference_id": "GHSA-5286-f2rf-35c2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5286-f2rf-35c2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33143?format=api", "purl": "pkg:pypi/wagtail@4.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.1.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/41845?format=api", "purl": "pkg:pypi/wagtail@4.2rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.2rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/33142?format=api", "purl": "pkg:pypi/wagtail@4.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.2.2" } ], "aliases": [ "CVE-2023-28836", "GHSA-5286-f2rf-35c2", "PYSEC-2023-55" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dm6q-bfv5-9yee" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35594?format=api", "vulnerability_id": "VCID-epja-7qhx-6fa5", "summary": "In Wagtail before versions 2.7.4 and 2.9.3, when a form page type is made available to Wagtail editors through the `wagtail.contrib.forms` app, and the page template is built using Django's standard form rendering helpers such as form.as_p, any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.4 (for the LTS 2.7 branch) and Wagtail 2.9.3 (for the current 2.9 branch). In these versions, help text will be escaped to prevent the inclusion of HTML tags. Site owners who wish to re-enable the use of HTML within help text (and are willing to accept the risk of this being exploited by editors) may set WAGTAILFORMS_HELP_TEXT_ALLOW_HTML = True in their configuration settings. Site owners who are unable to upgrade to the new versions can secure their form page templates by rendering forms field-by-field as per Django's documentation, but omitting the |safe filter when outputting the help text.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15118", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00595", "scoring_system": "epss", "scoring_elements": "0.69734", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00595", "scoring_system": "epss", "scoring_elements": "0.69694", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15118" }, { "reference_url": "https://docs.djangoproject.com/en/3.0/ref/models/fields/#django.db.models.Field.help_text", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://docs.djangoproject.com/en/3.0/ref/models/fields/#django.db.models.Field.help_text" }, { "reference_url": "https://docs.wagtail.io/en/stable/reference/contrib/forms/index.html#usage", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://docs.wagtail.io/en/stable/reference/contrib/forms/index.html#usage" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-154.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-154.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/blob/master/docs/releases/2.9.3.rst", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/blob/master/docs/releases/2.9.3.rst" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/d9a41e7f24d08c024acc9a3094940199df94db34", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/d9a41e7f24d08c024acc9a3094940199df94db34" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-2473-9hgq-j7xw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-2473-9hgq-j7xw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15118", "reference_id": "CVE-2020-15118", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15118" }, { "reference_url": "https://github.com/advisories/GHSA-2473-9hgq-j7xw", "reference_id": "GHSA-2473-9hgq-j7xw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2473-9hgq-j7xw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/17799?format=api", "purl": "pkg:pypi/wagtail@2.7.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-qpe3-zgfk-tfaq" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-td22-w1m4-dfek" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.7.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/17800?format=api", "purl": "pkg:pypi/wagtail@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-qpe3-zgfk-tfaq" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-td22-w1m4-dfek" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.9.3" } ], "aliases": [ "CVE-2020-15118", "GHSA-2473-9hgq-j7xw", "PYSEC-2020-154" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-epja-7qhx-6fa5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37326?format=api", "vulnerability_id": "VCID-esy5-hesv-zyf7", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44201", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02039", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44201" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:45:22Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44201", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44201" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50302?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/50303?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44201", "GHSA-p5gm-92h4-6pv6", "PYSEC-2026-150" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-esy5-hesv-zyf7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35550?format=api", "vulnerability_id": "VCID-g1c7-32gs-77hy", "summary": "In Wagtail before versions 2.7.2 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's \"Privacy\" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is understood to be feasible on a local network, but not on the public internet. Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability. This has been patched in 2.7.3, 2.8.2, 2.9.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11037", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16755", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16674", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11037" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-153.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-153.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/3c030490ed575bb9cd01dfb3a890477dcaeb2edf", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/3c030490ed575bb9cd01dfb3a890477dcaeb2edf" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/b76ab57ee859732b9cf9287d380493ab24061090", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/b76ab57ee859732b9cf9287d380493ab24061090" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/ba9d424bd1ca5ce1910d3de74f5cc07214fbfb11", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/ba9d424bd1ca5ce1910d3de74f5cc07214fbfb11" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/bac3cd0a26b023e595cf2959aae7da15bb5e4340", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/bac3cd0a26b023e595cf2959aae7da15bb5e4340" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11037", "reference_id": "CVE-2020-11037", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11037" }, { "reference_url": "https://github.com/advisories/GHSA-jjjr-3jcw-f8v6", "reference_id": "GHSA-jjjr-3jcw-f8v6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jjjr-3jcw-f8v6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/15554?format=api", "purl": "pkg:pypi/wagtail@2.7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-epja-7qhx-6fa5" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-qpe3-zgfk-tfaq" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-td22-w1m4-dfek" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.7.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/15553?format=api", "purl": "pkg:pypi/wagtail@2.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-epja-7qhx-6fa5" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-qpe3-zgfk-tfaq" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-td22-w1m4-dfek" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/17796?format=api", "purl": "pkg:pypi/wagtail@2.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-epja-7qhx-6fa5" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-qpe3-zgfk-tfaq" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-td22-w1m4-dfek" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.9" } ], "aliases": [ "CVE-2020-11037", "GHSA-jjjr-3jcw-f8v6", "PYSEC-2020-153" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g1c7-32gs-77hy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36832?format=api", "vulnerability_id": "VCID-k7jj-wh5a-kudh", "summary": "Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39317", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00329", "scoring_system": "epss", "scoring_elements": "0.56207", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-39317" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2024-86.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2024-86.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T15:46:41Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T15:46:41Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T15:46:41Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T15:46:41Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39317", "reference_id": "CVE-2024-39317", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39317" }, { "reference_url": "https://github.com/advisories/GHSA-jmp3-39vp-fwg8", "reference_id": "GHSA-jmp3-39vp-fwg8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jmp3-39vp-fwg8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41865?format=api", "purl": "pkg:pypi/wagtail@5.2.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@5.2.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/50258?format=api", "purl": "pkg:pypi/wagtail@6.0rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.0rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/41864?format=api", "purl": "pkg:pypi/wagtail@6.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.0.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/50259?format=api", "purl": "pkg:pypi/wagtail@6.1rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.1rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/41863?format=api", "purl": "pkg:pypi/wagtail@6.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.1.3" } ], "aliases": [ "CVE-2024-39317", "GHSA-jmp3-39vp-fwg8", "PYSEC-2024-86" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k7jj-wh5a-kudh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37325?format=api", "vulnerability_id": "VCID-kphk-eqcu-fuhd", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44200", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08191", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44200" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:54:04Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44200", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44200" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50302?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/50303?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44200", "GHSA-67rv-mg8q-5pf3", "PYSEC-2026-149" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kphk-eqcu-fuhd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49964?format=api", "vulnerability_id": "VCID-mj1d-3up9-2bbs", "summary": "Wagtail has improper permission handling on admin preview endpoints\nDue to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25517", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02394", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25517" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.6" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.4" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.1.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.1.3" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.2" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25517", "reference_id": "CVE-2026-25517", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25517" }, { "reference_url": "https://github.com/advisories/GHSA-4qvv-g3vr-m348", "reference_id": "GHSA-4qvv-g3vr-m348", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4qvv-g3vr-m348" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348", "reference_id": "GHSA-4qvv-g3vr-m348", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50275?format=api", "purl": "pkg:pypi/wagtail@6.3.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/50287?format=api", "purl": "pkg:pypi/wagtail@7.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/50293?format=api", "purl": "pkg:pypi/wagtail@7.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/50297?format=api", "purl": "pkg:pypi/wagtail@7.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/50300?format=api", "purl": "pkg:pypi/wagtail@7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3" } ], "aliases": [ "CVE-2026-25517", "GHSA-4qvv-g3vr-m348" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mj1d-3up9-2bbs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36580?format=api", "vulnerability_id": "VCID-npzc-8qut-f7g1", "summary": "Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-45809", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00232", "scoring_system": "epss", "scoring_elements": "0.46114", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-45809" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-219.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-219.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/0bacd29473107d9d7f5b723a15a683449679756d", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/0bacd29473107d9d7f5b723a15a683449679756d" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/2231f462c75dfe84307fb40577e8c2109a23b27e", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/2231f462c75dfe84307fb40577e8c2109a23b27e" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.9" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v5.0.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v5.0.5" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v5.1.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v5.1.3" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45809", "reference_id": "CVE-2023-45809", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45809" }, { "reference_url": "https://github.com/advisories/GHSA-fc75-58r8-rm3h", "reference_id": "GHSA-fc75-58r8-rm3h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fc75-58r8-rm3h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36601?format=api", "purl": "pkg:pypi/wagtail@4.1.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.1.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/41845?format=api", "purl": "pkg:pypi/wagtail@4.2rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.2rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/36602?format=api", "purl": "pkg:pypi/wagtail@5.0.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@5.0.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/41846?format=api", "purl": "pkg:pypi/wagtail@5.1rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@5.1rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/36603?format=api", "purl": "pkg:pypi/wagtail@5.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@5.1.3" } ], "aliases": [ "CVE-2023-45809", "GHSA-fc75-58r8-rm3h", "PYSEC-2023-219" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-npzc-8qut-f7g1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35544?format=api", "vulnerability_id": "VCID-qaun-pdg9-63cu", "summary": "In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11001", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.58128", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00356", "scoring_system": "epss", "scoring_elements": "0.58179", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11001" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-152.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-152.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/61045ceefea114c40ac4b680af58990dbe732389", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/61045ceefea114c40ac4b680af58990dbe732389" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v2.8.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v2.8.1" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-v2wc-pfq2-5cm6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-v2wc-pfq2-5cm6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11001", "reference_id": "CVE-2020-11001", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11001" }, { "reference_url": "https://github.com/advisories/GHSA-v2wc-pfq2-5cm6", "reference_id": "GHSA-v2wc-pfq2-5cm6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v2wc-pfq2-5cm6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/15422?format=api", "purl": "pkg:pypi/wagtail@2.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-epja-7qhx-6fa5" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-g1c7-32gs-77hy" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-qpe3-zgfk-tfaq" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-td22-w1m4-dfek" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.7.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/21583?format=api", "purl": "pkg:pypi/wagtail@2.8rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-epja-7qhx-6fa5" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-g1c7-32gs-77hy" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-qpe3-zgfk-tfaq" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-td22-w1m4-dfek" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.8rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/15552?format=api", "purl": "pkg:pypi/wagtail@2.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-epja-7qhx-6fa5" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-g1c7-32gs-77hy" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-qpe3-zgfk-tfaq" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-td22-w1m4-dfek" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.8.1" } ], "aliases": [ "CVE-2020-11001", "GHSA-v2wc-pfq2-5cm6", "PYSEC-2020-152" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qaun-pdg9-63cu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35782?format=api", "vulnerability_id": "VCID-qpe3-zgfk-tfaq", "summary": "Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29434", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50942", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.51004", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29434" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-114.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-114.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/5c7a60977cba478f6a35390ba98cffc2bd41c8a4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/5c7a60977cba478f6a35390ba98cffc2bd41c8a4" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/915f6ed2bd7d53154103cc4424a0f18695cdad6c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/915f6ed2bd7d53154103cc4424a0f18695cdad6c" }, { "reference_url": "https://github.com/wagtail/wagtail/compare/v2.11.6...v2.11.7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/compare/v2.11.6...v2.11.7" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx" }, { "reference_url": "https://pypi.org/project/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pypi.org/project/wagtail" }, { "reference_url": "https://pypi.org/project/wagtail/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://pypi.org/project/wagtail/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29434", "reference_id": "CVE-2021-29434", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29434" }, { "reference_url": "https://github.com/advisories/GHSA-wq5h-f9p5-q7fx", "reference_id": "GHSA-wq5h-f9p5-q7fx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wq5h-f9p5-q7fx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/21597?format=api", "purl": "pkg:pypi/wagtail@2.11.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-qpe3-zgfk-tfaq" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-td22-w1m4-dfek" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.11.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/21602?format=api", "purl": "pkg:pypi/wagtail@2.11.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-td22-w1m4-dfek" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.11.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/21603?format=api", "purl": "pkg:pypi/wagtail@2.12.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-td22-w1m4-dfek" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.12.4" } ], "aliases": [ "CVE-2021-29434", "GHSA-wq5h-f9p5-q7fx", "PYSEC-2021-114" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qpe3-zgfk-tfaq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37324?format=api", "vulnerability_id": "VCID-rks7-49ud-u7g2", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44199", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.0943", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44199" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:22:48Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44199", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44199" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50302?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/50303?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44199", "GHSA-pwm3-7fv4-g6xx", "PYSEC-2026-148" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rks7-49ud-u7g2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/35822?format=api", "vulnerability_id": "VCID-td22-w1m4-dfek", "summary": "Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with 'editor' access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django's `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32681", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.53058", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.52998", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32681" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-103.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-103.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v2.11.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v2.11.8" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v2.12.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v2.12.5" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v2.13.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v2.13.2" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32681", "reference_id": "CVE-2021-32681", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32681" }, { "reference_url": "https://github.com/advisories/GHSA-xfrw-hxr5-ghqf", "reference_id": "GHSA-xfrw-hxr5-ghqf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xfrw-hxr5-ghqf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/22766?format=api", "purl": "pkg:pypi/wagtail@2.11.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.11.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/33106?format=api", "purl": "pkg:pypi/wagtail@2.12rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.12rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/22765?format=api", "purl": "pkg:pypi/wagtail@2.12.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.12.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/33108?format=api", "purl": "pkg:pypi/wagtail@2.13rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.13rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/22764?format=api", "purl": "pkg:pypi/wagtail@2.13.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-dm6q-bfv5-9yee" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-jp42-rvsk-dfhp" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-v11d-uytv-hqem" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.13.2" } ], "aliases": [ "CVE-2021-32681", "GHSA-xfrw-hxr5-ghqf", "PYSEC-2021-103" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-td22-w1m4-dfek" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36412?format=api", "vulnerability_id": "VCID-v11d-uytv-hqem", "summary": "Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28837", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.013", "scoring_system": "epss", "scoring_elements": "0.80094", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28837" }, { "reference_url": "https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-56.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-56.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.4" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v4.2.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v4.2.2" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28837", "reference_id": "CVE-2023-28837", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28837" }, { "reference_url": "https://github.com/advisories/GHSA-33pv-vcgh-jfg9", "reference_id": "GHSA-33pv-vcgh-jfg9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-33pv-vcgh-jfg9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33143?format=api", "purl": "pkg:pypi/wagtail@4.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.1.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/41845?format=api", "purl": "pkg:pypi/wagtail@4.2rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.2rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/33142?format=api", "purl": "pkg:pypi/wagtail@4.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-8vb4-y953-b7dp" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-k7jj-wh5a-kudh" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-mj1d-3up9-2bbs" }, { "vulnerability": "VCID-npzc-8qut-f7g1" }, { "vulnerability": "VCID-rks7-49ud-u7g2" }, { "vulnerability": "VCID-vzg1-msbd-g3hm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.2.2" } ], "aliases": [ "CVE-2023-28837", "GHSA-33pv-vcgh-jfg9", "PYSEC-2023-56" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v11d-uytv-hqem" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50556?format=api", "vulnerability_id": "VCID-vzg1-msbd-g3hm", "summary": "Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface\nA stored Cross-site Scripting (XSS) vulnerability exists on confirmation messages within the `wagtail.contrib.simple_translation` module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the \"Translate\" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28223", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13932", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28223" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.8" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.6" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.3" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.3.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.3.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28223", "reference_id": "CVE-2026-28223", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28223" }, { "reference_url": "https://github.com/advisories/GHSA-p4v8-rw59-93cq", "reference_id": "GHSA-p4v8-rw59-93cq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p4v8-rw59-93cq" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq", "reference_id": "GHSA-p4v8-rw59-93cq", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/50277?format=api", "purl": "pkg:pypi/wagtail@6.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-rks7-49ud-u7g2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/50289?format=api", "purl": "pkg:pypi/wagtail@7.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-rks7-49ud-u7g2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/50298?format=api", "purl": "pkg:pypi/wagtail@7.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-rks7-49ud-u7g2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/50301?format=api", "purl": "pkg:pypi/wagtail@7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-22sk-jw8g-byek" }, { "vulnerability": "VCID-39ey-uzfk-8qh3" }, { "vulnerability": "VCID-esy5-hesv-zyf7" }, { "vulnerability": "VCID-kphk-eqcu-fuhd" }, { "vulnerability": "VCID-rks7-49ud-u7g2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.1" } ], "aliases": [ "CVE-2026-28223", "GHSA-p4v8-rw59-93cq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vzg1-msbd-g3hm" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.1.3" }