Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/20334?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/20334?format=api", "purl": "pkg:pypi/wagtail@1.4", "type": "pypi", "namespace": "", "name": "wagtail", "version": "1.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "7.0.7", "latest_non_vulnerable_version": "7.3.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9658?format=api", "vulnerability_id": "VCID-12d4-1bj5-2yb5", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44199", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09514", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44199" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:22:48Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44199", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44199" }, { "reference_url": "https://github.com/advisories/GHSA-pwm3-7fv4-g6xx", "reference_id": "GHSA-pwm3-7fv4-g6xx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pwm3-7fv4-g6xx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49195?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/49196?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44199", "GHSA-pwm3-7fv4-g6xx", "PYSEC-2026-148" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-12d4-1bj5-2yb5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22374?format=api", "vulnerability_id": "VCID-1dyp-u5tf-mqhh", "summary": "Wagtail has improper permission handling on admin preview endpoints\nDue to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25517", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02431", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25517" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.6" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.4" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.1.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.1.3" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.2" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25517", "reference_id": "CVE-2026-25517", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25517" }, { "reference_url": "https://github.com/advisories/GHSA-4qvv-g3vr-m348", "reference_id": "GHSA-4qvv-g3vr-m348", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4qvv-g3vr-m348" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348", "reference_id": "GHSA-4qvv-g3vr-m348", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49168?format=api", "purl": "pkg:pypi/wagtail@6.3.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/49180?format=api", "purl": "pkg:pypi/wagtail@7.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/49186?format=api", "purl": "pkg:pypi/wagtail@7.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/49190?format=api", "purl": "pkg:pypi/wagtail@7.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/49193?format=api", "purl": "pkg:pypi/wagtail@7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3" } ], "aliases": [ "CVE-2026-25517", "GHSA-4qvv-g3vr-m348" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1dyp-u5tf-mqhh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9657?format=api", "vulnerability_id": "VCID-2upt-d3sg-ebea", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44198", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09075", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44198" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:53:32Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44198", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44198" }, { "reference_url": "https://github.com/advisories/GHSA-c4mr-889m-vgf6", "reference_id": "GHSA-c4mr-889m-vgf6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c4mr-889m-vgf6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49195?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/49196?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44198", "GHSA-c4mr-889m-vgf6", "PYSEC-2026-147" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2upt-d3sg-ebea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9656?format=api", "vulnerability_id": "VCID-5p3e-kwee-ukfr", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44197", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10242", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44197" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:52:47Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44197", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44197" }, { "reference_url": "https://github.com/advisories/GHSA-c6wj-9vcj-75pj", "reference_id": "GHSA-c6wj-9vcj-75pj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c6wj-9vcj-75pj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49195?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/49196?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44197", "GHSA-c6wj-9vcj-75pj", "PYSEC-2026-146" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5p3e-kwee-ukfr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22963?format=api", "vulnerability_id": "VCID-672q-fuy3-yqd1", "summary": "Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface\nA stored Cross-site Scripting (XSS) vulnerability exists on confirmation messages within the `wagtail.contrib.simple_translation` module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the \"Translate\" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28223", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.1391", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28223" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.8" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.6" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.3" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.3.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.3.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28223", "reference_id": "CVE-2026-28223", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28223" }, { "reference_url": "https://github.com/advisories/GHSA-p4v8-rw59-93cq", "reference_id": "GHSA-p4v8-rw59-93cq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p4v8-rw59-93cq" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq", "reference_id": "GHSA-p4v8-rw59-93cq", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49170?format=api", "purl": "pkg:pypi/wagtail@6.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/49182?format=api", "purl": "pkg:pypi/wagtail@7.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/49191?format=api", "purl": "pkg:pypi/wagtail@7.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/49194?format=api", "purl": "pkg:pypi/wagtail@7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.1" } ], "aliases": [ "CVE-2026-28223", "GHSA-p4v8-rw59-93cq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-672q-fuy3-yqd1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8748?format=api", "vulnerability_id": "VCID-8jfe-n528-xuc2", "summary": "Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28837", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.013", "scoring_system": "epss", "scoring_elements": "0.80045", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-28837" }, { "reference_url": "https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-56.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-56.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.4" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v4.2.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v4.2.2" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28837", "reference_id": "CVE-2023-28837", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28837" }, { "reference_url": "https://github.com/advisories/GHSA-33pv-vcgh-jfg9", "reference_id": "GHSA-33pv-vcgh-jfg9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-33pv-vcgh-jfg9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32036?format=api", "purl": "pkg:pypi/wagtail@4.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.1.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/40738?format=api", "purl": "pkg:pypi/wagtail@4.2rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.2rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/32035?format=api", "purl": "pkg:pypi/wagtail@4.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.2.2" } ], "aliases": [ "CVE-2023-28837", "GHSA-33pv-vcgh-jfg9", "PYSEC-2023-56" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8jfe-n528-xuc2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8114?format=api", "vulnerability_id": "VCID-btdp-8uac-rkhp", "summary": "Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with 'editor' access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django's `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32681", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00294", "scoring_system": "epss", "scoring_elements": "0.52978", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32681" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-103.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-103.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v2.11.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v2.11.8" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v2.12.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v2.12.5" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v2.13.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v2.13.2" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32681", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32681" }, { "reference_url": "https://github.com/advisories/GHSA-xfrw-hxr5-ghqf", "reference_id": "GHSA-xfrw-hxr5-ghqf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xfrw-hxr5-ghqf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/21541?format=api", "purl": "pkg:pypi/wagtail@2.11.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-8jfe-n528-xuc2" }, { "vulnerability": "VCID-8k9y-g5uj-nfaz" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.11.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/31999?format=api", "purl": "pkg:pypi/wagtail@2.12rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-8jfe-n528-xuc2" }, { "vulnerability": "VCID-8k9y-g5uj-nfaz" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.12rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/21540?format=api", "purl": "pkg:pypi/wagtail@2.12.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-8jfe-n528-xuc2" }, { "vulnerability": "VCID-8k9y-g5uj-nfaz" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.12.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/32001?format=api", "purl": "pkg:pypi/wagtail@2.13rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-8jfe-n528-xuc2" }, { "vulnerability": "VCID-8k9y-g5uj-nfaz" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.13rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/21539?format=api", "purl": "pkg:pypi/wagtail@2.13.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-8jfe-n528-xuc2" }, { "vulnerability": "VCID-8k9y-g5uj-nfaz" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-chj9-nmry-q3f1" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.13.2" } ], "aliases": [ "CVE-2021-32681", "GHSA-xfrw-hxr5-ghqf", "PYSEC-2021-103" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-btdp-8uac-rkhp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8082?format=api", "vulnerability_id": "VCID-cfkh-sdk4-3uan", "summary": "Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29434", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00274", "scoring_system": "epss", "scoring_elements": "0.50921", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-29434" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-114.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-114.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/5c7a60977cba478f6a35390ba98cffc2bd41c8a4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/5c7a60977cba478f6a35390ba98cffc2bd41c8a4" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/915f6ed2bd7d53154103cc4424a0f18695cdad6c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/915f6ed2bd7d53154103cc4424a0f18695cdad6c" }, { "reference_url": "https://github.com/wagtail/wagtail/compare/v2.11.6...v2.11.7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/compare/v2.11.6...v2.11.7" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29434", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29434" }, { "reference_url": "https://pypi.org/project/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pypi.org/project/wagtail" }, { "reference_url": "https://pypi.org/project/wagtail/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://pypi.org/project/wagtail/" }, { "reference_url": "https://github.com/advisories/GHSA-wq5h-f9p5-q7fx", "reference_id": "GHSA-wq5h-f9p5-q7fx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wq5h-f9p5-q7fx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20372?format=api", "purl": "pkg:pypi/wagtail@2.11.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-8jfe-n528-xuc2" }, { "vulnerability": "VCID-8k9y-g5uj-nfaz" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-btdp-8uac-rkhp" }, { "vulnerability": "VCID-cfkh-sdk4-3uan" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.11.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/20377?format=api", "purl": "pkg:pypi/wagtail@2.11.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-8jfe-n528-xuc2" }, { "vulnerability": "VCID-8k9y-g5uj-nfaz" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-btdp-8uac-rkhp" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.11.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/20378?format=api", "purl": "pkg:pypi/wagtail@2.12.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-8jfe-n528-xuc2" }, { "vulnerability": "VCID-8k9y-g5uj-nfaz" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-btdp-8uac-rkhp" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.12.4" } ], "aliases": [ "CVE-2021-29434", "GHSA-wq5h-f9p5-q7fx", "PYSEC-2021-114" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cfkh-sdk4-3uan" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/7929?format=api", "vulnerability_id": "VCID-fr48-r964-g3aw", "summary": "In Wagtail before versions 2.7.4 and 2.9.3, when a form page type is made available to Wagtail editors through the `wagtail.contrib.forms` app, and the page template is built using Django's standard form rendering helpers such as form.as_p, any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is an intentional design decision by Django; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.4 (for the LTS 2.7 branch) and Wagtail 2.9.3 (for the current 2.9 branch). In these versions, help text will be escaped to prevent the inclusion of HTML tags. Site owners who wish to re-enable the use of HTML within help text (and are willing to accept the risk of this being exploited by editors) may set WAGTAILFORMS_HELP_TEXT_ALLOW_HTML = True in their configuration settings. Site owners who are unable to upgrade to the new versions can secure their form page templates by rendering forms field-by-field as per Django's documentation, but omitting the |safe filter when outputting the help text.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15118", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00595", "scoring_system": "epss", "scoring_elements": "0.69644", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15118" }, { "reference_url": "https://docs.djangoproject.com/en/3.0/ref/models/fields/#django.db.models.Field.help_text", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://docs.djangoproject.com/en/3.0/ref/models/fields/#django.db.models.Field.help_text" }, { "reference_url": "https://docs.wagtail.io/en/stable/reference/contrib/forms/index.html#usage", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://docs.wagtail.io/en/stable/reference/contrib/forms/index.html#usage" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-154.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-154.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/blob/master/docs/releases/2.9.3.rst", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/blob/master/docs/releases/2.9.3.rst" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/d9a41e7f24d08c024acc9a3094940199df94db34", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/d9a41e7f24d08c024acc9a3094940199df94db34" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-2473-9hgq-j7xw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-2473-9hgq-j7xw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15118", "reference_id": "CVE-2020-15118", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "7.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15118" }, { "reference_url": "https://github.com/advisories/GHSA-2473-9hgq-j7xw", "reference_id": "GHSA-2473-9hgq-j7xw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2473-9hgq-j7xw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/16574?format=api", "purl": "pkg:pypi/wagtail@2.7.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-8jfe-n528-xuc2" }, { "vulnerability": "VCID-8k9y-g5uj-nfaz" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-btdp-8uac-rkhp" }, { "vulnerability": "VCID-cfkh-sdk4-3uan" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.7.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/16575?format=api", "purl": "pkg:pypi/wagtail@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-8jfe-n528-xuc2" }, { "vulnerability": "VCID-8k9y-g5uj-nfaz" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-btdp-8uac-rkhp" }, { "vulnerability": "VCID-cfkh-sdk4-3uan" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.9.3" } ], "aliases": [ "CVE-2020-15118", "GHSA-2473-9hgq-j7xw", "PYSEC-2020-154" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fr48-r964-g3aw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/8916?format=api", "vulnerability_id": "VCID-pkcr-w2en-dufq", "summary": "Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-45809", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00232", "scoring_system": "epss", "scoring_elements": "0.46041", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-45809" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-219.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-219.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/0bacd29473107d9d7f5b723a15a683449679756d", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/0bacd29473107d9d7f5b723a15a683449679756d" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/2231f462c75dfe84307fb40577e8c2109a23b27e", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/2231f462c75dfe84307fb40577e8c2109a23b27e" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.9" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v5.0.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v5.0.5" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v5.1.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v5.1.3" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45809", "reference_id": "CVE-2023-45809", "reference_type": "", "scores": [ { "value": "2.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45809" }, { "reference_url": "https://github.com/advisories/GHSA-fc75-58r8-rm3h", "reference_id": "GHSA-fc75-58r8-rm3h", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fc75-58r8-rm3h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35494?format=api", "purl": "pkg:pypi/wagtail@4.1.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.1.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/40738?format=api", "purl": "pkg:pypi/wagtail@4.2rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.2rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/35495?format=api", "purl": "pkg:pypi/wagtail@5.0.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@5.0.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/40739?format=api", "purl": "pkg:pypi/wagtail@5.1rc1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@5.1rc1" }, { "url": "http://public2.vulnerablecode.io/api/packages/35496?format=api", "purl": "pkg:pypi/wagtail@5.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@5.1.3" } ], "aliases": [ "CVE-2023-45809", "GHSA-fc75-58r8-rm3h", "PYSEC-2023-219" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pkcr-w2en-dufq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/22964?format=api", "vulnerability_id": "VCID-prth-nf4k-nqe5", "summary": "Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes\nA stored Cross-site Scripting (XSS) vulnerability exists on rendering `TableBlock` blocks within a StreamField. A user with access to create or edit pages containing `TableBlock` StreamField blocks is able to set specially-crafted `class` attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28222", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29604", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28222" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.8", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.8" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.6" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.3" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.3.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.3.1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28222", "reference_id": "CVE-2026-28222", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28222" }, { "reference_url": "https://github.com/advisories/GHSA-p5cm-246w-84jm", "reference_id": "GHSA-p5cm-246w-84jm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p5cm-246w-84jm" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm", "reference_id": "GHSA-p5cm-246w-84jm", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49170?format=api", "purl": "pkg:pypi/wagtail@6.3.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/49182?format=api", "purl": "pkg:pypi/wagtail@7.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/49191?format=api", "purl": "pkg:pypi/wagtail@7.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/49194?format=api", "purl": "pkg:pypi/wagtail@7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.1" } ], "aliases": [ "CVE-2026-28222", "GHSA-p5cm-246w-84jm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-prth-nf4k-nqe5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9660?format=api", "vulnerability_id": "VCID-qf1m-zu2w-dbds", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44201", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02074", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44201" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:45:22Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44201", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44201" }, { "reference_url": "https://github.com/advisories/GHSA-p5gm-92h4-6pv6", "reference_id": "GHSA-p5gm-92h4-6pv6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p5gm-92h4-6pv6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49195?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/49196?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44201", "GHSA-p5gm-92h4-6pv6", "PYSEC-2026-150" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qf1m-zu2w-dbds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/7888?format=api", "vulnerability_id": "VCID-sfrz-j9f2-9qgj", "summary": "In Wagtail before versions 2.7.2 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's \"Privacy\" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is understood to be feasible on a local network, but not on the public internet. Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability. This has been patched in 2.7.3, 2.8.2, 2.9.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11037", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00052", "scoring_system": "epss", "scoring_elements": "0.16683", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-11037" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-153.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-153.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/3c030490ed575bb9cd01dfb3a890477dcaeb2edf", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/3c030490ed575bb9cd01dfb3a890477dcaeb2edf" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/b76ab57ee859732b9cf9287d380493ab24061090", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/b76ab57ee859732b9cf9287d380493ab24061090" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/ba9d424bd1ca5ce1910d3de74f5cc07214fbfb11", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/ba9d424bd1ca5ce1910d3de74f5cc07214fbfb11" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/bac3cd0a26b023e595cf2959aae7da15bb5e4340", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/commit/bac3cd0a26b023e595cf2959aae7da15bb5e4340" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11037", "reference_id": "CVE-2020-11037", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N" }, { "value": "4.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11037" }, { "reference_url": "https://github.com/advisories/GHSA-jjjr-3jcw-f8v6", "reference_id": "GHSA-jjjr-3jcw-f8v6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jjjr-3jcw-f8v6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/14329?format=api", "purl": "pkg:pypi/wagtail@2.7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-8jfe-n528-xuc2" }, { "vulnerability": "VCID-8k9y-g5uj-nfaz" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-btdp-8uac-rkhp" }, { "vulnerability": "VCID-cfkh-sdk4-3uan" }, { "vulnerability": "VCID-fr48-r964-g3aw" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.7.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/14328?format=api", "purl": "pkg:pypi/wagtail@2.8.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-8jfe-n528-xuc2" }, { "vulnerability": "VCID-8k9y-g5uj-nfaz" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-btdp-8uac-rkhp" }, { "vulnerability": "VCID-cfkh-sdk4-3uan" }, { "vulnerability": "VCID-fr48-r964-g3aw" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.8.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/16571?format=api", "purl": "pkg:pypi/wagtail@2.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-12d4-1bj5-2yb5" }, { "vulnerability": "VCID-1dyp-u5tf-mqhh" }, { "vulnerability": "VCID-2upt-d3sg-ebea" }, { "vulnerability": "VCID-5p3e-kwee-ukfr" }, { "vulnerability": "VCID-672q-fuy3-yqd1" }, { "vulnerability": "VCID-8jfe-n528-xuc2" }, { "vulnerability": "VCID-8k9y-g5uj-nfaz" }, { "vulnerability": "VCID-9u79-7g62-23dk" }, { "vulnerability": "VCID-btdp-8uac-rkhp" }, { "vulnerability": "VCID-cfkh-sdk4-3uan" }, { "vulnerability": "VCID-fr48-r964-g3aw" }, { "vulnerability": "VCID-pkcr-w2en-dufq" }, { "vulnerability": "VCID-prth-nf4k-nqe5" }, { "vulnerability": "VCID-qf1m-zu2w-dbds" }, { "vulnerability": "VCID-yvjp-hx9y-mkgf" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.9" } ], "aliases": [ "CVE-2020-11037", "GHSA-jjjr-3jcw-f8v6", "PYSEC-2020-153" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sfrz-j9f2-9qgj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9659?format=api", "vulnerability_id": "VCID-yvjp-hx9y-mkgf", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44200", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08279", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44200" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:54:04Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44200", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44200" }, { "reference_url": "https://github.com/advisories/GHSA-67rv-mg8q-5pf3", "reference_id": "GHSA-67rv-mg8q-5pf3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-67rv-mg8q-5pf3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/49195?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/49196?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44200", "GHSA-67rv-mg8q-5pf3", "PYSEC-2026-149" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yvjp-hx9y-mkgf" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@1.4" }