Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/wagtail@7.0.6
purl pkg:pypi/wagtail@7.0.6
Next non-vulnerable version 7.0.7
Latest non-vulnerable version 7.3.2
Risk 3.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-12d4-1bj5-2yb5
Aliases:
CVE-2026-44199
GHSA-pwm3-7fv4-g6xx
PYSEC-2026-148
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
7.0.7
Affected by 0 other vulnerabilities.
7.3.2
Affected by 0 other vulnerabilities.
VCID-2upt-d3sg-ebea
Aliases:
CVE-2026-44198
GHSA-c4mr-889m-vgf6
PYSEC-2026-147
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
7.0.7
Affected by 0 other vulnerabilities.
7.3.2
Affected by 0 other vulnerabilities.
VCID-5p3e-kwee-ukfr
Aliases:
CVE-2026-44197
GHSA-c6wj-9vcj-75pj
PYSEC-2026-146
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
7.0.7
Affected by 0 other vulnerabilities.
7.3.2
Affected by 0 other vulnerabilities.
VCID-qf1m-zu2w-dbds
Aliases:
CVE-2026-44201
GHSA-p5gm-92h4-6pv6
PYSEC-2026-150
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
7.0.7
Affected by 0 other vulnerabilities.
7.3.2
Affected by 0 other vulnerabilities.
VCID-yvjp-hx9y-mkgf
Aliases:
CVE-2026-44200
GHSA-67rv-mg8q-5pf3
PYSEC-2026-149
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
7.0.7
Affected by 0 other vulnerabilities.
7.3.2
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-672q-fuy3-yqd1 Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface A stored Cross-site Scripting (XSS) vulnerability exists on confirmation messages within the `wagtail.contrib.simple_translation` module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. CVE-2026-28223
GHSA-p4v8-rw59-93cq
VCID-prth-nf4k-nqe5 Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes A stored Cross-site Scripting (XSS) vulnerability exists on rendering `TableBlock` blocks within a StreamField. A user with access to create or edit pages containing `TableBlock` StreamField blocks is able to set specially-crafted `class` attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. CVE-2026-28222
GHSA-p5cm-246w-84jm

Date Actor Action Vulnerability Source VulnerableCode Version
2026-05-31T10:56:25.870257+00:00 GithubOSV Importer Fixing VCID-672q-fuy3-yqd1 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p4v8-rw59-93cq/GHSA-p4v8-rw59-93cq.json 38.6.0
2026-05-31T10:54:45.118737+00:00 GithubOSV Importer Fixing VCID-prth-nf4k-nqe5 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p5cm-246w-84jm/GHSA-p5cm-246w-84jm.json 38.6.0
2026-05-31T09:48:01.862097+00:00 PyPI Importer Affected by VCID-qf1m-zu2w-dbds https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.6.0
2026-05-31T09:48:00.751455+00:00 PyPI Importer Affected by VCID-yvjp-hx9y-mkgf https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.6.0
2026-05-31T09:47:59.680520+00:00 PyPI Importer Affected by VCID-12d4-1bj5-2yb5 https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.6.0
2026-05-31T09:47:58.641535+00:00 PyPI Importer Affected by VCID-2upt-d3sg-ebea https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.6.0
2026-05-31T09:47:57.593833+00:00 PyPI Importer Affected by VCID-5p3e-kwee-ukfr https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip 38.6.0
2026-05-31T01:08:06.104499+00:00 GHSA Importer Fixing VCID-672q-fuy3-yqd1 https://github.com/advisories/GHSA-p4v8-rw59-93cq 38.6.0
2026-05-31T01:08:06.007874+00:00 GHSA Importer Fixing VCID-prth-nf4k-nqe5 https://github.com/advisories/GHSA-p5cm-246w-84jm 38.6.0
2026-05-30T21:07:27.448612+00:00 GitLab Importer Fixing VCID-prth-nf4k-nqe5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/wagtail/CVE-2026-28222.yml 38.6.0
2026-05-30T21:07:27.346610+00:00 GitLab Importer Fixing VCID-672q-fuy3-yqd1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/wagtail/CVE-2026-28223.yml 38.6.0
2026-05-30T20:38:33.356620+00:00 Pypa Importer Affected by VCID-qf1m-zu2w-dbds https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2026-150.yaml 38.6.0
2026-05-30T20:38:31.316338+00:00 Pypa Importer Affected by VCID-yvjp-hx9y-mkgf https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2026-149.yaml 38.6.0
2026-05-30T20:38:29.208787+00:00 Pypa Importer Affected by VCID-12d4-1bj5-2yb5 https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2026-148.yaml 38.6.0
2026-05-30T20:38:27.138658+00:00 Pypa Importer Affected by VCID-2upt-d3sg-ebea https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2026-147.yaml 38.6.0
2026-05-30T20:38:25.049513+00:00 Pypa Importer Affected by VCID-5p3e-kwee-ukfr https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2026-146.yaml 38.6.0