Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/wagtail@2.7rc2
purl pkg:pypi/wagtail@2.7rc2
Next non-vulnerable version 7.0.7
Latest non-vulnerable version 7.3.2
Risk
Vulnerabilities affecting this package (12)
Vulnerability Summary Fixed by
VCID-12d4-1bj5-2yb5
Aliases:
CVE-2026-44199
GHSA-pwm3-7fv4-g6xx
PYSEC-2026-148
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
7.0.7
Affected by 0 other vulnerabilities.
7.3.2
Affected by 0 other vulnerabilities.
VCID-2upt-d3sg-ebea
Aliases:
CVE-2026-44198
GHSA-c4mr-889m-vgf6
PYSEC-2026-147
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
7.0.7
Affected by 0 other vulnerabilities.
7.3.2
Affected by 0 other vulnerabilities.
VCID-5p3e-kwee-ukfr
Aliases:
CVE-2026-44197
GHSA-c6wj-9vcj-75pj
PYSEC-2026-146
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
7.0.7
Affected by 0 other vulnerabilities.
7.3.2
Affected by 0 other vulnerabilities.
VCID-8jfe-n528-xuc2
Aliases:
CVE-2023-28837
GHSA-33pv-vcgh-jfg9
PYSEC-2023-56
Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.
4.1.4
Affected by 7 other vulnerabilities.
4.2.2
Affected by 7 other vulnerabilities.
VCID-8k9y-g5uj-nfaz
Aliases:
CVE-2023-28836
GHSA-5286-f2rf-35c2
PYSEC-2023-55
Wagtail is an open source content management system built on Django. Starting in version 1.5 and prior to versions 4.1.4 and 4.2.2, a stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled. For page, the vulnerability is in the "Choose a parent page" ModelAdmin view (`ChooseParentView`), available when managing pages via ModelAdmin. For documents, the vulnerability is in the ModelAdmin Inspect view (`InspectView`) when displaying document fields. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2. Site owners who are unable to upgrade to the new versions can disable or override the corresponding functionality.
4.1.4
Affected by 7 other vulnerabilities.
4.2.2
Affected by 7 other vulnerabilities.
VCID-9u79-7g62-23dk
Aliases:
CVE-2024-39317
GHSA-jmp3-39vp-fwg8
PYSEC-2024-86
Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.
5.2.6
Affected by 5 other vulnerabilities.
6.0.6
Affected by 5 other vulnerabilities.
6.1.3
Affected by 5 other vulnerabilities.
VCID-btdp-8uac-rkhp
Aliases:
CVE-2021-32681
GHSA-xfrw-hxr5-ghqf
PYSEC-2021-103
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with 'editor' access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django's `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`.
2.11.8
Affected by 9 other vulnerabilities.
2.12.5
Affected by 9 other vulnerabilities.
2.13.2
Affected by 10 other vulnerabilities.
VCID-cfkh-sdk4-3uan
Aliases:
CVE-2021-29434
GHSA-wq5h-f9p5-q7fx
PYSEC-2021-114
Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).
2.11.6
Affected by 11 other vulnerabilities.
2.11.7
Affected by 10 other vulnerabilities.
2.12.4
Affected by 10 other vulnerabilities.
VCID-huy8-gg6m-t3gz
Aliases:
CVE-2020-11001
GHSA-v2wc-pfq2-5cm6
PYSEC-2020-152
In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).
2.7.2
Affected by 13 other vulnerabilities.
2.8.1
Affected by 12 other vulnerabilities.
VCID-pkcr-w2en-dufq
Aliases:
CVE-2023-45809
GHSA-fc75-58r8-rm3h
PYSEC-2023-219
Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.
4.1.9
Affected by 6 other vulnerabilities.
5.0.5
Affected by 6 other vulnerabilities.
5.1.3
Affected by 6 other vulnerabilities.
VCID-qf1m-zu2w-dbds
Aliases:
CVE-2026-44201
GHSA-p5gm-92h4-6pv6
PYSEC-2026-150
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
7.0.7
Affected by 0 other vulnerabilities.
7.3.2
Affected by 0 other vulnerabilities.
VCID-yvjp-hx9y-mkgf
Aliases:
CVE-2026-44200
GHSA-67rv-mg8q-5pf3
PYSEC-2026-149
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
7.0.7
Affected by 0 other vulnerabilities.
7.3.2
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-30T20:38:32.724841+00:00 Pypa Importer Affected by VCID-qf1m-zu2w-dbds https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2026-150.yaml 38.6.0
2026-05-30T20:38:30.665388+00:00 Pypa Importer Affected by VCID-yvjp-hx9y-mkgf https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2026-149.yaml 38.6.0
2026-05-30T20:38:28.544477+00:00 Pypa Importer Affected by VCID-12d4-1bj5-2yb5 https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2026-148.yaml 38.6.0
2026-05-30T20:38:26.499173+00:00 Pypa Importer Affected by VCID-2upt-d3sg-ebea https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2026-147.yaml 38.6.0
2026-05-30T20:38:24.381976+00:00 Pypa Importer Affected by VCID-5p3e-kwee-ukfr https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2026-146.yaml 38.6.0
2026-05-30T20:34:44.999749+00:00 Pypa Importer Affected by VCID-9u79-7g62-23dk https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2024-86.yaml 38.6.0
2026-05-30T20:32:59.130338+00:00 Pypa Importer Affected by VCID-pkcr-w2en-dufq https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2023-219.yaml 38.6.0
2026-05-30T20:31:37.152761+00:00 Pypa Importer Affected by VCID-8k9y-g5uj-nfaz https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2023-55.yaml 38.6.0
2026-05-30T20:31:35.859278+00:00 Pypa Importer Affected by VCID-8jfe-n528-xuc2 https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2023-56.yaml 38.6.0
2026-05-30T20:27:07.826390+00:00 Pypa Importer Affected by VCID-btdp-8uac-rkhp https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2021-103.yaml 38.6.0
2026-05-30T20:22:41.616489+00:00 Pypa Importer Affected by VCID-cfkh-sdk4-3uan https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2021-114.yaml 38.6.0
2026-05-30T20:19:11.178361+00:00 Pypa Importer Affected by VCID-huy8-gg6m-t3gz https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2020-152.yaml 38.6.0