Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/93063?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/93063?format=api", "purl": "pkg:pypi/wagtail@6.4.2", "type": "pypi", "namespace": "", "name": "wagtail", "version": "6.4.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "7.0.7", "latest_non_vulnerable_version": "7.3.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67858?format=api", "vulnerability_id": "VCID-7uqp-knu1-sybq", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44197", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00033", "scoring_system": "epss", "scoring_elements": "0.10234", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11872", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11895", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11896", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44197" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-146.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-146.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44197", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44197" }, { "reference_url": "https://github.com/advisories/GHSA-c6wj-9vcj-75pj", "reference_id": "GHSA-c6wj-9vcj-75pj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c6wj-9vcj-75pj" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj", "reference_id": "GHSA-c6wj-9vcj-75pj", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:52:47Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/93072?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/93073?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44197", "GHSA-c6wj-9vcj-75pj", "PYSEC-2026-146" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7uqp-knu1-sybq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69261?format=api", "vulnerability_id": "VCID-feyw-n44z-cuc9", "summary": "Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the \"Translate\" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28223", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13925", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.14014", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.1404", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.14042", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28223" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863", "reference_id": "1c6f2effed68f4ccad6fbd07987e03641505f863", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19", "reference_id": "ba70244d376a7b1bd180ded03e827917ff410c19", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28223", "reference_id": "CVE-2026-28223", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28223" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c", "reference_id": "d8c5900982df8ed5938ad993aa9ff69cda50f80c", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143", "reference_id": "ee39d39deeb7f250fe886417b24802d7e05b1143", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143" }, { "reference_url": "https://github.com/advisories/GHSA-p4v8-rw59-93cq", "reference_id": "GHSA-p4v8-rw59-93cq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p4v8-rw59-93cq" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq", "reference_id": "GHSA-p4v8-rw59-93cq", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.8", "reference_id": "v6.3.8", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.8" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.6", "reference_id": "v7.0.6", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.6" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.3", "reference_id": "v7.2.3", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.3" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.3.1", "reference_id": "v7.3.1", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.3.1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40101?format=api", "purl": "pkg:pypi/wagtail@7.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7uqp-knu1-sybq" }, { "vulnerability": "VCID-mcfk-qckt-eug8" }, { "vulnerability": "VCID-r4v4-7425-yqgd" }, { "vulnerability": "VCID-t8am-3wuh-6ka2" }, { "vulnerability": "VCID-wwur-1fuu-yka1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/40099?format=api", "purl": "pkg:pypi/wagtail@7.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7uqp-knu1-sybq" }, { "vulnerability": "VCID-mcfk-qckt-eug8" }, { "vulnerability": "VCID-r4v4-7425-yqgd" }, { "vulnerability": "VCID-t8am-3wuh-6ka2" }, { "vulnerability": "VCID-wwur-1fuu-yka1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/40100?format=api", "purl": "pkg:pypi/wagtail@7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7uqp-knu1-sybq" }, { "vulnerability": "VCID-mcfk-qckt-eug8" }, { "vulnerability": "VCID-r4v4-7425-yqgd" }, { "vulnerability": "VCID-t8am-3wuh-6ka2" }, { "vulnerability": "VCID-wwur-1fuu-yka1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.1" } ], "aliases": [ "CVE-2026-28223", "GHSA-p4v8-rw59-93cq" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-feyw-n44z-cuc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67766?format=api", "vulnerability_id": "VCID-mcfk-qckt-eug8", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44201", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02019", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02545", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02554", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44201" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-150.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-150.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44201", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44201" }, { "reference_url": "https://github.com/advisories/GHSA-p5gm-92h4-6pv6", "reference_id": "GHSA-p5gm-92h4-6pv6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p5gm-92h4-6pv6" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6", "reference_id": "GHSA-p5gm-92h4-6pv6", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:45:22Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/93072?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/93073?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44201", "GHSA-p5gm-92h4-6pv6", "PYSEC-2026-150" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mcfk-qckt-eug8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67645?format=api", "vulnerability_id": "VCID-r4v4-7425-yqgd", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44198", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0003", "scoring_system": "epss", "scoring_elements": "0.09019", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10546", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.10571", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00034", "scoring_system": "epss", "scoring_elements": "0.1057", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44198" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-147.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-147.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44198", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44198" }, { "reference_url": "https://github.com/advisories/GHSA-c4mr-889m-vgf6", "reference_id": "GHSA-c4mr-889m-vgf6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-c4mr-889m-vgf6" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6", "reference_id": "GHSA-c4mr-889m-vgf6", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:53:32Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/93072?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/93073?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44198", "GHSA-c4mr-889m-vgf6", "PYSEC-2026-147" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-r4v4-7425-yqgd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/67759?format=api", "vulnerability_id": "VCID-t8am-3wuh-6ka2", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44200", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08198", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09612", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.096", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.0961", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44200" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-149.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-149.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44200", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44200" }, { "reference_url": "https://github.com/advisories/GHSA-67rv-mg8q-5pf3", "reference_id": "GHSA-67rv-mg8q-5pf3", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-67rv-mg8q-5pf3" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3", "reference_id": "GHSA-67rv-mg8q-5pf3", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:54:04Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/93072?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/93073?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44200", "GHSA-67rv-mg8q-5pf3", "PYSEC-2026-149" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-t8am-3wuh-6ka2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69146?format=api", "vulnerability_id": "VCID-w5jh-4xaa-qyg2", "summary": "Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28222", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29493", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29692", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.29708", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00113", "scoring_system": "epss", "scoring_elements": "0.2969", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28222" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d", "reference_id": "0375094bb57ce6e527005c2bb2e871dd20bca04d", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e", "reference_id": "4620423cb22c5253391a0f04178089c1162f6e2e", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85", "reference_id": "575c0d7c18c7716ed73f7a3c2720ad75956f0a85", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b", "reference_id": "605a5569686565e035313222e1bc2f9802fbc55b", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28222", "reference_id": "CVE-2026-28222", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28222" }, { "reference_url": "https://github.com/advisories/GHSA-p5cm-246w-84jm", "reference_id": "GHSA-p5cm-246w-84jm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p5cm-246w-84jm" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm", "reference_id": "GHSA-p5cm-246w-84jm", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.8", "reference_id": "v6.3.8", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.8" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.6", "reference_id": "v7.0.6", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.6" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.3", "reference_id": "v7.2.3", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.3" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.3.1", "reference_id": "v7.3.1", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.3.1" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40101?format=api", "purl": "pkg:pypi/wagtail@7.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7uqp-knu1-sybq" }, { "vulnerability": "VCID-mcfk-qckt-eug8" }, { "vulnerability": "VCID-r4v4-7425-yqgd" }, { "vulnerability": "VCID-t8am-3wuh-6ka2" }, { "vulnerability": "VCID-wwur-1fuu-yka1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/40099?format=api", "purl": "pkg:pypi/wagtail@7.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7uqp-knu1-sybq" }, { "vulnerability": "VCID-mcfk-qckt-eug8" }, { "vulnerability": "VCID-r4v4-7425-yqgd" }, { "vulnerability": "VCID-t8am-3wuh-6ka2" }, { "vulnerability": "VCID-wwur-1fuu-yka1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/40100?format=api", "purl": "pkg:pypi/wagtail@7.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7uqp-knu1-sybq" }, { "vulnerability": "VCID-mcfk-qckt-eug8" }, { "vulnerability": "VCID-r4v4-7425-yqgd" }, { "vulnerability": "VCID-t8am-3wuh-6ka2" }, { "vulnerability": "VCID-wwur-1fuu-yka1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.1" } ], "aliases": [ "CVE-2026-28222", "GHSA-p5cm-246w-84jm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w5jh-4xaa-qyg2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/68053?format=api", "vulnerability_id": "VCID-wwur-1fuu-yka1", "summary": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44199", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.09491", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11052", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11085", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.1109", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44199" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-148.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-148.yaml" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44199", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44199" }, { "reference_url": "https://github.com/advisories/GHSA-pwm3-7fv4-g6xx", "reference_id": "GHSA-pwm3-7fv4-g6xx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pwm3-7fv4-g6xx" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx", "reference_id": "GHSA-pwm3-7fv4-g6xx", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:22:48Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/93072?format=api", "purl": "pkg:pypi/wagtail@7.0.7", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/93073?format=api", "purl": "pkg:pypi/wagtail@7.3.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2" } ], "aliases": [ "CVE-2026-44199", "GHSA-pwm3-7fv4-g6xx", "PYSEC-2026-148" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wwur-1fuu-yka1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/65665?format=api", "vulnerability_id": "VCID-yu3w-ev5z-uuhc", "summary": "Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25517", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02997", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03005", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02994", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03009", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25517" }, { "reference_url": "https://github.com/wagtail/wagtail", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.6" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.4" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.1.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.1.3" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.2" }, { "reference_url": "https://github.com/wagtail/wagtail/releases/tag/v7.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wagtail/wagtail/releases/tag/v7.3" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719", "reference_id": "01fd3477365a193e6a8270311defb76e890d2719", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f", "reference_id": "5f09b6da61e779b0e8499bdbba52bf2f7bd3241f", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190", "reference_id": "73f070dbefbd3b39ea6649ce36bd2d2a6eef2190", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915", "reference_id": "7dfe8de5f8b3f112c73c87b6729197db16454915", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25517", "reference_id": "CVE-2026-25517", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25517" }, { "reference_url": "https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03", "reference_id": "dd824023a031f1b82a6b6f83a97a5c73391b7c03", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03" }, { "reference_url": "https://github.com/advisories/GHSA-4qvv-g3vr-m348", "reference_id": "GHSA-4qvv-g3vr-m348", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4qvv-g3vr-m348" }, { "reference_url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348", "reference_id": "GHSA-4qvv-g3vr-m348", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/" } ], "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38665?format=api", "purl": "pkg:pypi/wagtail@7.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7uqp-knu1-sybq" }, { "vulnerability": "VCID-feyw-n44z-cuc9" }, { "vulnerability": "VCID-mcfk-qckt-eug8" }, { "vulnerability": "VCID-r4v4-7425-yqgd" }, { "vulnerability": "VCID-t8am-3wuh-6ka2" }, { "vulnerability": "VCID-w5jh-4xaa-qyg2" }, { "vulnerability": "VCID-wwur-1fuu-yka1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/38662?format=api", "purl": "pkg:pypi/wagtail@7.1.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7uqp-knu1-sybq" }, { "vulnerability": "VCID-feyw-n44z-cuc9" }, { "vulnerability": "VCID-mcfk-qckt-eug8" }, { "vulnerability": "VCID-r4v4-7425-yqgd" }, { "vulnerability": "VCID-t8am-3wuh-6ka2" }, { "vulnerability": "VCID-w5jh-4xaa-qyg2" }, { "vulnerability": "VCID-wwur-1fuu-yka1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.1.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/38671?format=api", "purl": "pkg:pypi/wagtail@7.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7uqp-knu1-sybq" }, { "vulnerability": "VCID-feyw-n44z-cuc9" }, { "vulnerability": "VCID-mcfk-qckt-eug8" }, { "vulnerability": "VCID-r4v4-7425-yqgd" }, { "vulnerability": "VCID-t8am-3wuh-6ka2" }, { "vulnerability": "VCID-w5jh-4xaa-qyg2" }, { "vulnerability": "VCID-wwur-1fuu-yka1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/38658?format=api", "purl": "pkg:pypi/wagtail@7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7uqp-knu1-sybq" }, { "vulnerability": "VCID-feyw-n44z-cuc9" }, { "vulnerability": "VCID-mcfk-qckt-eug8" }, { "vulnerability": "VCID-r4v4-7425-yqgd" }, { "vulnerability": "VCID-t8am-3wuh-6ka2" }, { "vulnerability": "VCID-w5jh-4xaa-qyg2" }, { "vulnerability": "VCID-wwur-1fuu-yka1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3" } ], "aliases": [ "CVE-2026-25517", "GHSA-4qvv-g3vr-m348" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yu3w-ev5z-uuhc" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.4.2" }