{"url":"http://public2.vulnerablecode.io/api/packages/14186?format=json","purl":"pkg:pypi/wagtail@2.5.1","type":"pypi","namespace":"","name":"wagtail","version":"2.5.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.0.7","latest_non_vulnerable_version":"7.3.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9658?format=json","vulnerability_id":"VCID-12d4-1bj5-2yb5","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44199","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09514","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44199"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:22:48Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44199","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44199"},{"reference_url":"https://github.com/advisories/GHSA-pwm3-7fv4-g6xx","reference_id":"GHSA-pwm3-7fv4-g6xx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pwm3-7fv4-g6xx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49195?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/49196?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44199","GHSA-pwm3-7fv4-g6xx","PYSEC-2026-148"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-12d4-1bj5-2yb5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9657?format=json","vulnerability_id":"VCID-2upt-d3sg-ebea","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44198","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09075","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44198"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:53:32Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44198","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44198"},{"reference_url":"https://github.com/advisories/GHSA-c4mr-889m-vgf6","reference_id":"GHSA-c4mr-889m-vgf6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c4mr-889m-vgf6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49195?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/49196?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44198","GHSA-c4mr-889m-vgf6","PYSEC-2026-147"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2upt-d3sg-ebea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9656?format=json","vulnerability_id":"VCID-5p3e-kwee-ukfr","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44197","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10242","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44197"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:52:47Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44197","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44197"},{"reference_url":"https://github.com/advisories/GHSA-c6wj-9vcj-75pj","reference_id":"GHSA-c6wj-9vcj-75pj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c6wj-9vcj-75pj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49195?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/49196?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44197","GHSA-c6wj-9vcj-75pj","PYSEC-2026-146"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5p3e-kwee-ukfr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8748?format=json","vulnerability_id":"VCID-8jfe-n528-xuc2","summary":"Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28837","reference_id":"","reference_type":"","scores":[{"value":"0.013","scoring_system":"epss","scoring_elements":"0.80045","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28837"},{"reference_url":"https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-56.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-56.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880"},{"reference_url":"https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165"},{"reference_url":"https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf"},{"reference_url":"https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v4.1.4","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v4.1.4"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v4.2.2","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v4.2.2"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28837","reference_id":"CVE-2023-28837","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28837"},{"reference_url":"https://github.com/advisories/GHSA-33pv-vcgh-jfg9","reference_id":"GHSA-33pv-vcgh-jfg9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-33pv-vcgh-jfg9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32036?format=json","purl":"pkg:pypi/wagtail@4.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-pkcr-w2en-dufq"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.1.4"},{"url":"http://public2.vulnerablecode.io/api/packages/32035?format=json","purl":"pkg:pypi/wagtail@4.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-pkcr-w2en-dufq"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.2.2"}],"aliases":["CVE-2023-28837","GHSA-33pv-vcgh-jfg9","PYSEC-2023-56"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8jfe-n528-xuc2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8749?format=json","vulnerability_id":"VCID-8k9y-g5uj-nfaz","summary":"Wagtail is an open source content management system built on Django. Starting in version 1.5 and prior to versions 4.1.4 and 4.2.2, a stored cross-site scripting (XSS) vulnerability exists on ModelAdmin views within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft pages and documents that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites with ModelAdmin enabled. For page, the vulnerability is in the \"Choose a parent page\" ModelAdmin view (`ChooseParentView`), available when managing pages via ModelAdmin. For documents, the vulnerability is in the ModelAdmin Inspect view (`InspectView`) when displaying document fields. Patched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2. Site owners who are unable to upgrade to the new versions can disable or override the corresponding functionality.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28836","reference_id":"","reference_type":"","scores":[{"value":"0.01096","scoring_system":"epss","scoring_elements":"0.78301","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28836"},{"reference_url":"https://docs.wagtail.org/en/stable/reference/contrib/modeladmin/chooseparentview.html#customising-chooseparentview","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/"}],"url":"https://docs.wagtail.org/en/stable/reference/contrib/modeladmin/chooseparentview.html#customising-chooseparentview"},{"reference_url":"https://docs.wagtail.org/en/stable/reference/contrib/modeladmin/inspectview.html#enabling-customising-inspectview","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/"}],"url":"https://docs.wagtail.org/en/stable/reference/contrib/modeladmin/inspectview.html#enabling-customising-inspectview"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-55.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-55.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/5be2b1ed55fd7259dfdf2c82e7701dba407b8b62","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/"}],"url":"https://github.com/wagtail/wagtail/commit/5be2b1ed55fd7259dfdf2c82e7701dba407b8b62"},{"reference_url":"https://github.com/wagtail/wagtail/commit/bc84bf9815610cfbf8db3b6050c7ddcbaa4b9713","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/"}],"url":"https://github.com/wagtail/wagtail/commit/bc84bf9815610cfbf8db3b6050c7ddcbaa4b9713"},{"reference_url":"https://github.com/wagtail/wagtail/commit/eefc3381d37b476791610e5d30594fae443f33af","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/"}],"url":"https://github.com/wagtail/wagtail/commit/eefc3381d37b476791610e5d30594fae443f33af"},{"reference_url":"https://github.com/wagtail/wagtail/commit/ff806ab173a504395fdfb3139eb0a29444ab4b91","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/"}],"url":"https://github.com/wagtail/wagtail/commit/ff806ab173a504395fdfb3139eb0a29444ab4b91"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v4.1.4","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v4.1.4"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v4.2.2","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v4.2.2"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-5286-f2rf-35c2","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-11T16:36:00Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-5286-f2rf-35c2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28836","reference_id":"CVE-2023-28836","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H"},{"value":"7.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28836"},{"reference_url":"https://github.com/advisories/GHSA-5286-f2rf-35c2","reference_id":"GHSA-5286-f2rf-35c2","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5286-f2rf-35c2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32036?format=json","purl":"pkg:pypi/wagtail@4.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-pkcr-w2en-dufq"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.1.4"},{"url":"http://public2.vulnerablecode.io/api/packages/32035?format=json","purl":"pkg:pypi/wagtail@4.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-pkcr-w2en-dufq"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.2.2"}],"aliases":["CVE-2023-28836","GHSA-5286-f2rf-35c2","PYSEC-2023-55"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8k9y-g5uj-nfaz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9168?format=json","vulnerability_id":"VCID-9u79-7g62-23dk","summary":"Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39317","reference_id":"","reference_type":"","scores":[{"value":"0.00329","scoring_system":"epss","scoring_elements":"0.56125","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39317"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2024-86.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2024-86.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T15:46:41Z/"}],"url":"https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2"},{"reference_url":"https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T15:46:41Z/"}],"url":"https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797"},{"reference_url":"https://github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T15:46:41Z/"}],"url":"https://github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T15:46:41Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39317","reference_id":"CVE-2024-39317","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39317"},{"reference_url":"https://github.com/advisories/GHSA-jmp3-39vp-fwg8","reference_id":"GHSA-jmp3-39vp-fwg8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jmp3-39vp-fwg8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40758?format=json","purl":"pkg:pypi/wagtail@5.2.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@5.2.6"},{"url":"http://public2.vulnerablecode.io/api/packages/40757?format=json","purl":"pkg:pypi/wagtail@6.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/40756?format=json","purl":"pkg:pypi/wagtail@6.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.1.3"}],"aliases":["CVE-2024-39317","GHSA-jmp3-39vp-fwg8","PYSEC-2024-86"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9u79-7g62-23dk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8114?format=json","vulnerability_id":"VCID-btdp-8uac-rkhp","summary":"Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with 'editor' access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django's `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32681","reference_id":"","reference_type":"","scores":[{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.52978","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32681"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-103.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-103.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v2.11.8","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v2.11.8"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v2.12.5","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v2.12.5"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v2.13.2","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v2.13.2"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32681","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32681"},{"reference_url":"https://github.com/advisories/GHSA-xfrw-hxr5-ghqf","reference_id":"GHSA-xfrw-hxr5-ghqf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xfrw-hxr5-ghqf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21541?format=json","purl":"pkg:pypi/wagtail@2.11.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-8jfe-n528-xuc2"},{"vulnerability":"VCID-8k9y-g5uj-nfaz"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-pkcr-w2en-dufq"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.11.8"},{"url":"http://public2.vulnerablecode.io/api/packages/21540?format=json","purl":"pkg:pypi/wagtail@2.12.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-8jfe-n528-xuc2"},{"vulnerability":"VCID-8k9y-g5uj-nfaz"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-pkcr-w2en-dufq"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.12.5"},{"url":"http://public2.vulnerablecode.io/api/packages/21539?format=json","purl":"pkg:pypi/wagtail@2.13.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-8jfe-n528-xuc2"},{"vulnerability":"VCID-8k9y-g5uj-nfaz"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-chj9-nmry-q3f1"},{"vulnerability":"VCID-pkcr-w2en-dufq"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.13.2"}],"aliases":["CVE-2021-32681","GHSA-xfrw-hxr5-ghqf","PYSEC-2021-103"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-btdp-8uac-rkhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8082?format=json","vulnerability_id":"VCID-cfkh-sdk4-3uan","summary":"Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29434","reference_id":"","reference_type":"","scores":[{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.50921","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29434"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-114.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-114.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/5c7a60977cba478f6a35390ba98cffc2bd41c8a4","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/5c7a60977cba478f6a35390ba98cffc2bd41c8a4"},{"reference_url":"https://github.com/wagtail/wagtail/commit/915f6ed2bd7d53154103cc4424a0f18695cdad6c","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/915f6ed2bd7d53154103cc4424a0f18695cdad6c"},{"reference_url":"https://github.com/wagtail/wagtail/compare/v2.11.6...v2.11.7","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/compare/v2.11.6...v2.11.7"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29434","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29434"},{"reference_url":"https://pypi.org/project/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/wagtail"},{"reference_url":"https://pypi.org/project/wagtail/","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.org/project/wagtail/"},{"reference_url":"https://github.com/advisories/GHSA-wq5h-f9p5-q7fx","reference_id":"GHSA-wq5h-f9p5-q7fx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wq5h-f9p5-q7fx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/20372?format=json","purl":"pkg:pypi/wagtail@2.11.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-8jfe-n528-xuc2"},{"vulnerability":"VCID-8k9y-g5uj-nfaz"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-btdp-8uac-rkhp"},{"vulnerability":"VCID-cfkh-sdk4-3uan"},{"vulnerability":"VCID-pkcr-w2en-dufq"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.11.6"},{"url":"http://public2.vulnerablecode.io/api/packages/20377?format=json","purl":"pkg:pypi/wagtail@2.11.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-8jfe-n528-xuc2"},{"vulnerability":"VCID-8k9y-g5uj-nfaz"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-btdp-8uac-rkhp"},{"vulnerability":"VCID-pkcr-w2en-dufq"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.11.7"},{"url":"http://public2.vulnerablecode.io/api/packages/20378?format=json","purl":"pkg:pypi/wagtail@2.12.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-8jfe-n528-xuc2"},{"vulnerability":"VCID-8k9y-g5uj-nfaz"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-btdp-8uac-rkhp"},{"vulnerability":"VCID-pkcr-w2en-dufq"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.12.4"}],"aliases":["CVE-2021-29434","GHSA-wq5h-f9p5-q7fx","PYSEC-2021-114"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cfkh-sdk4-3uan"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7882?format=json","vulnerability_id":"VCID-huy8-gg6m-t3gz","summary":"In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11001","reference_id":"","reference_type":"","scores":[{"value":"0.00356","scoring_system":"epss","scoring_elements":"0.58108","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11001"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-152.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-152.yaml"},{"reference_url":"https://github.com/wagtail/wagtail/commit/61045ceefea114c40ac4b680af58990dbe732389","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/61045ceefea114c40ac4b680af58990dbe732389"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v2.8.1","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v2.8.1"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-v2wc-pfq2-5cm6","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-v2wc-pfq2-5cm6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11001","reference_id":"CVE-2020-11001","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N"},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11001"},{"reference_url":"https://github.com/advisories/GHSA-v2wc-pfq2-5cm6","reference_id":"GHSA-v2wc-pfq2-5cm6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v2wc-pfq2-5cm6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/14197?format=json","purl":"pkg:pypi/wagtail@2.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-8jfe-n528-xuc2"},{"vulnerability":"VCID-8k9y-g5uj-nfaz"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-btdp-8uac-rkhp"},{"vulnerability":"VCID-cfkh-sdk4-3uan"},{"vulnerability":"VCID-fr48-r964-g3aw"},{"vulnerability":"VCID-pkcr-w2en-dufq"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-sfrz-j9f2-9qgj"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.7.2"},{"url":"http://public2.vulnerablecode.io/api/packages/14327?format=json","purl":"pkg:pypi/wagtail@2.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-8jfe-n528-xuc2"},{"vulnerability":"VCID-8k9y-g5uj-nfaz"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-btdp-8uac-rkhp"},{"vulnerability":"VCID-cfkh-sdk4-3uan"},{"vulnerability":"VCID-pkcr-w2en-dufq"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-sfrz-j9f2-9qgj"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.8.1"}],"aliases":["CVE-2020-11001","GHSA-v2wc-pfq2-5cm6","PYSEC-2020-152"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-huy8-gg6m-t3gz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8916?format=json","vulnerability_id":"VCID-pkcr-w2en-dufq","summary":"Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45809","reference_id":"","reference_type":"","scores":[{"value":"0.00232","scoring_system":"epss","scoring_elements":"0.46041","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45809"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-219.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-219.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/0bacd29473107d9d7f5b723a15a683449679756d","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/0bacd29473107d9d7f5b723a15a683449679756d"},{"reference_url":"https://github.com/wagtail/wagtail/commit/2231f462c75dfe84307fb40577e8c2109a23b27e","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/2231f462c75dfe84307fb40577e8c2109a23b27e"},{"reference_url":"https://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v4.1.9","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v4.1.9"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v5.0.5","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v5.0.5"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v5.1.3","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v5.1.3"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45809","reference_id":"CVE-2023-45809","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45809"},{"reference_url":"https://github.com/advisories/GHSA-fc75-58r8-rm3h","reference_id":"GHSA-fc75-58r8-rm3h","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fc75-58r8-rm3h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35494?format=json","purl":"pkg:pypi/wagtail@4.1.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.1.9"},{"url":"http://public2.vulnerablecode.io/api/packages/35495?format=json","purl":"pkg:pypi/wagtail@5.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@5.0.5"},{"url":"http://public2.vulnerablecode.io/api/packages/35496?format=json","purl":"pkg:pypi/wagtail@5.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-9u79-7g62-23dk"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@5.1.3"}],"aliases":["CVE-2023-45809","GHSA-fc75-58r8-rm3h","PYSEC-2023-219"],"risk_score":1.2,"exploitability":"0.5","weighted_severity":"2.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pkcr-w2en-dufq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9660?format=json","vulnerability_id":"VCID-qf1m-zu2w-dbds","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44201","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02074","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44201"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:45:22Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44201","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44201"},{"reference_url":"https://github.com/advisories/GHSA-p5gm-92h4-6pv6","reference_id":"GHSA-p5gm-92h4-6pv6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p5gm-92h4-6pv6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49195?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/49196?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44201","GHSA-p5gm-92h4-6pv6","PYSEC-2026-150"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qf1m-zu2w-dbds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9659?format=json","vulnerability_id":"VCID-yvjp-hx9y-mkgf","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44200","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08279","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44200"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:54:04Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44200","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44200"},{"reference_url":"https://github.com/advisories/GHSA-67rv-mg8q-5pf3","reference_id":"GHSA-67rv-mg8q-5pf3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-67rv-mg8q-5pf3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49195?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/49196?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44200","GHSA-67rv-mg8q-5pf3","PYSEC-2026-149"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yvjp-hx9y-mkgf"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.5.1"}