{"url":"http://public2.vulnerablecode.io/api/packages/30838?format=json","purl":"pkg:pypi/wagtail@6.0.3","type":"pypi","namespace":"","name":"wagtail","version":"6.0.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.0.7","latest_non_vulnerable_version":"7.3.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67858?format=json","vulnerability_id":"VCID-7uqp-knu1-sybq","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44197","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10234","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11896","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44197"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-146.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-146.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44197","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44197"},{"reference_url":"https://github.com/advisories/GHSA-c6wj-9vcj-75pj","reference_id":"GHSA-c6wj-9vcj-75pj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c6wj-9vcj-75pj"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj","reference_id":"GHSA-c6wj-9vcj-75pj","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:52:47Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/93072?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/93073?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44197","GHSA-c6wj-9vcj-75pj","PYSEC-2026-146"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7uqp-knu1-sybq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43939?format=json","vulnerability_id":"VCID-et9z-2d6h-zbgs","summary":"Wagtail is an open source content management system built on Django. Due to an improperly applied permission check in the `wagtail.contrib.settings` module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and update that setting, even when they have not been granted permission over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 6.0.5 and 6.1.2. Wagtail releases prior to 6.0 are unaffected. Users are advised to upgrade. Site owners who are unable to upgrade to a patched version can avoid the vulnerability in `ModelViewSet` by registering the model as a snippet instead. No workaround is available for `wagtail.contrib.settings`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-35228","reference_id":"","reference_type":"","scores":[{"value":"0.0016","scoring_system":"epss","scoring_elements":"0.36865","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0016","scoring_system":"epss","scoring_elements":"0.36686","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-35228"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/284f75a6f91f7ab18cc304d7d34f33b559ae37b1","reference_id":"284f75a6f91f7ab18cc304d7d34f33b559ae37b1","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-31T16:19:13Z/"}],"url":"https://github.com/wagtail/wagtail/commit/284f75a6f91f7ab18cc304d7d34f33b559ae37b1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35228","reference_id":"CVE-2024-35228","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35228"},{"reference_url":"https://github.com/advisories/GHSA-xxfm-vmcf-g33f","reference_id":"GHSA-xxfm-vmcf-g33f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xxfm-vmcf-g33f"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-xxfm-vmcf-g33f","reference_id":"GHSA-xxfm-vmcf-g33f","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-31T16:19:13Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-xxfm-vmcf-g33f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/31874?format=json","purl":"pkg:pypi/wagtail@6.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.0.5"},{"url":"http://public2.vulnerablecode.io/api/packages/31876?format=json","purl":"pkg:pypi/wagtail@6.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.1.2"}],"aliases":["CVE-2024-35228","GHSA-xxfm-vmcf-g33f"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-et9z-2d6h-zbgs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69261?format=json","vulnerability_id":"VCID-feyw-n44z-cuc9","summary":"Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the \"Translate\" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28223","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13925","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14042","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28223"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863","reference_id":"1c6f2effed68f4ccad6fbd07987e03641505f863","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863"},{"reference_url":"https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19","reference_id":"ba70244d376a7b1bd180ded03e827917ff410c19","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28223","reference_id":"CVE-2026-28223","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28223"},{"reference_url":"https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c","reference_id":"d8c5900982df8ed5938ad993aa9ff69cda50f80c","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c"},{"reference_url":"https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143","reference_id":"ee39d39deeb7f250fe886417b24802d7e05b1143","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143"},{"reference_url":"https://github.com/advisories/GHSA-p4v8-rw59-93cq","reference_id":"GHSA-p4v8-rw59-93cq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p4v8-rw59-93cq"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq","reference_id":"GHSA-p4v8-rw59-93cq","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8","reference_id":"v6.3.8","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6","reference_id":"v7.0.6","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3","reference_id":"v7.2.3","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1","reference_id":"v7.3.1","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40103?format=json","purl":"pkg:pypi/wagtail@6.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/40101?format=json","purl":"pkg:pypi/wagtail@7.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/40099?format=json","purl":"pkg:pypi/wagtail@7.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/40100?format=json","purl":"pkg:pypi/wagtail@7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.1"}],"aliases":["CVE-2026-28223","GHSA-p4v8-rw59-93cq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-feyw-n44z-cuc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46880?format=json","vulnerability_id":"VCID-gmht-envk-pbd8","summary":"Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39317","reference_id":"","reference_type":"","scores":[{"value":"0.00329","scoring_system":"epss","scoring_elements":"0.56397","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00329","scoring_system":"epss","scoring_elements":"0.56278","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-39317"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2024-86.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2024-86.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2","reference_id":"31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T15:46:41Z/"}],"url":"https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2"},{"reference_url":"https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797","reference_id":"3c941136f79c48446e3858df46e5b668d7f83797","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T15:46:41Z/"}],"url":"https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797"},{"reference_url":"https://github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2","reference_id":"b783c096b6d4fd2cfc05f9137a0be288850e99a2","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T15:46:41Z/"}],"url":"https://github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39317","reference_id":"CVE-2024-39317","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39317"},{"reference_url":"https://github.com/advisories/GHSA-jmp3-39vp-fwg8","reference_id":"GHSA-jmp3-39vp-fwg8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jmp3-39vp-fwg8"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8","reference_id":"GHSA-jmp3-39vp-fwg8","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-17T15:46:41Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32608?format=json","purl":"pkg:pypi/wagtail@6.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/84305?format=json","purl":"pkg:pypi/wagtail@6.1rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.1rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/32604?format=json","purl":"pkg:pypi/wagtail@6.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.1.3"}],"aliases":["CVE-2024-39317","GHSA-jmp3-39vp-fwg8","PYSEC-2024-86"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gmht-envk-pbd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67766?format=json","vulnerability_id":"VCID-mcfk-qckt-eug8","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44201","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02019","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02554","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44201"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-150.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-150.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44201","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44201"},{"reference_url":"https://github.com/advisories/GHSA-p5gm-92h4-6pv6","reference_id":"GHSA-p5gm-92h4-6pv6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p5gm-92h4-6pv6"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6","reference_id":"GHSA-p5gm-92h4-6pv6","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:45:22Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/93072?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/93073?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44201","GHSA-p5gm-92h4-6pv6","PYSEC-2026-150"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mcfk-qckt-eug8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67645?format=json","vulnerability_id":"VCID-r4v4-7425-yqgd","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44198","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09019","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.1057","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44198"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-147.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-147.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44198","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44198"},{"reference_url":"https://github.com/advisories/GHSA-c4mr-889m-vgf6","reference_id":"GHSA-c4mr-889m-vgf6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c4mr-889m-vgf6"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6","reference_id":"GHSA-c4mr-889m-vgf6","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:53:32Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/93072?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/93073?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44198","GHSA-c4mr-889m-vgf6","PYSEC-2026-147"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r4v4-7425-yqgd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67759?format=json","vulnerability_id":"VCID-t8am-3wuh-6ka2","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44200","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08198","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09612","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44200"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-149.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-149.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44200","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44200"},{"reference_url":"https://github.com/advisories/GHSA-67rv-mg8q-5pf3","reference_id":"GHSA-67rv-mg8q-5pf3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-67rv-mg8q-5pf3"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3","reference_id":"GHSA-67rv-mg8q-5pf3","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:54:04Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/93072?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/93073?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44200","GHSA-67rv-mg8q-5pf3","PYSEC-2026-149"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t8am-3wuh-6ka2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69146?format=json","vulnerability_id":"VCID-w5jh-4xaa-qyg2","summary":"Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28222","reference_id":"","reference_type":"","scores":[{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29493","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.2969","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28222"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d","reference_id":"0375094bb57ce6e527005c2bb2e871dd20bca04d","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d"},{"reference_url":"https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e","reference_id":"4620423cb22c5253391a0f04178089c1162f6e2e","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e"},{"reference_url":"https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85","reference_id":"575c0d7c18c7716ed73f7a3c2720ad75956f0a85","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85"},{"reference_url":"https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b","reference_id":"605a5569686565e035313222e1bc2f9802fbc55b","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28222","reference_id":"CVE-2026-28222","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28222"},{"reference_url":"https://github.com/advisories/GHSA-p5cm-246w-84jm","reference_id":"GHSA-p5cm-246w-84jm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p5cm-246w-84jm"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm","reference_id":"GHSA-p5cm-246w-84jm","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8","reference_id":"v6.3.8","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6","reference_id":"v7.0.6","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3","reference_id":"v7.2.3","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1","reference_id":"v7.3.1","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40103?format=json","purl":"pkg:pypi/wagtail@6.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/40101?format=json","purl":"pkg:pypi/wagtail@7.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/40099?format=json","purl":"pkg:pypi/wagtail@7.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/40100?format=json","purl":"pkg:pypi/wagtail@7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.1"}],"aliases":["CVE-2026-28222","GHSA-p5cm-246w-84jm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w5jh-4xaa-qyg2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68053?format=json","vulnerability_id":"VCID-wwur-1fuu-yka1","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44199","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09491","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.1109","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44199"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-148.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-148.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44199","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44199"},{"reference_url":"https://github.com/advisories/GHSA-pwm3-7fv4-g6xx","reference_id":"GHSA-pwm3-7fv4-g6xx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pwm3-7fv4-g6xx"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx","reference_id":"GHSA-pwm3-7fv4-g6xx","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:22:48Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/93072?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/93073?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44199","GHSA-pwm3-7fv4-g6xx","PYSEC-2026-148"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wwur-1fuu-yka1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65665?format=json","vulnerability_id":"VCID-yu3w-ev5z-uuhc","summary":"Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25517","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.02997","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03009","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25517"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.6","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.6"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.4","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.4"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.1.3","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.1.3"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.2","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.2"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.3","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.3"},{"reference_url":"https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719","reference_id":"01fd3477365a193e6a8270311defb76e890d2719","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/"}],"url":"https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719"},{"reference_url":"https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f","reference_id":"5f09b6da61e779b0e8499bdbba52bf2f7bd3241f","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/"}],"url":"https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f"},{"reference_url":"https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190","reference_id":"73f070dbefbd3b39ea6649ce36bd2d2a6eef2190","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/"}],"url":"https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190"},{"reference_url":"https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915","reference_id":"7dfe8de5f8b3f112c73c87b6729197db16454915","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/"}],"url":"https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25517","reference_id":"CVE-2026-25517","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25517"},{"reference_url":"https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03","reference_id":"dd824023a031f1b82a6b6f83a97a5c73391b7c03","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/"}],"url":"https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03"},{"reference_url":"https://github.com/advisories/GHSA-4qvv-g3vr-m348","reference_id":"GHSA-4qvv-g3vr-m348","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4qvv-g3vr-m348"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348","reference_id":"GHSA-4qvv-g3vr-m348","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38667?format=json","purl":"pkg:pypi/wagtail@6.3.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/38665?format=json","purl":"pkg:pypi/wagtail@7.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/38662?format=json","purl":"pkg:pypi/wagtail@7.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/38671?format=json","purl":"pkg:pypi/wagtail@7.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/38658?format=json","purl":"pkg:pypi/wagtail@7.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3"}],"aliases":["CVE-2026-25517","GHSA-4qvv-g3vr-m348"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yu3w-ev5z-uuhc"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52656?format=json","vulnerability_id":"VCID-99z5-t38m-fkes","summary":"Wagtail is an open source content management system built on Django. In affected versions if a model has been made available for editing through the `wagtail.contrib.settings` module or `ModelViewSet`, and the `permission` argument on `FieldPanel` has been used to further restrict access to one or more fields of the model, a user with edit permission over the model but not the specific field can craft an HTTP POST request that bypasses the permission check on the individual field, allowing them to update its value. This vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, or by a user who has not been granted edit access to the model in question. The editing interfaces for pages and snippets are also unaffected. Patched versions have been released as Wagtail 6.0.3 and 6.1. Wagtail releases prior to 6.0 are unaffected. Users are advised to upgrade. Site owners who are unable to upgrade to a patched version can avoid the vulnerability as follows: 1.For models registered through `ModelViewSet`, register the model as a snippet instead; 2. For settings models, place the restricted fields in a separate settings model, and configure permission at the model level.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32882","reference_id":"","reference_type":"","scores":[{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24241","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.24437","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-32882"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/fa0d4829f9c81eefb37cc058e2fa1b6a918741da","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/fa0d4829f9c81eefb37cc058e2fa1b6a918741da"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v6.0.3","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v6.0.3"},{"reference_url":"https://github.com/wagtail/wagtail/commit/ab2a5d82b4ee3c909d2456704388ccf90e367c9b","reference_id":"ab2a5d82b4ee3c909d2456704388ccf90e367c9b","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T13:08:02Z/"}],"url":"https://github.com/wagtail/wagtail/commit/ab2a5d82b4ee3c909d2456704388ccf90e367c9b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32882","reference_id":"CVE-2024-32882","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32882"},{"reference_url":"https://docs.wagtail.org/en/stable/extending/generic_views.html#modelviewset","reference_id":"generic_views.html#modelviewset","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T13:08:02Z/"}],"url":"https://docs.wagtail.org/en/stable/extending/generic_views.html#modelviewset"},{"reference_url":"https://github.com/advisories/GHSA-w2v8-php4-p8hc","reference_id":"GHSA-w2v8-php4-p8hc","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w2v8-php4-p8hc"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-w2v8-php4-p8hc","reference_id":"GHSA-w2v8-php4-p8hc","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T13:08:02Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-w2v8-php4-p8hc"},{"reference_url":"https://docs.wagtail.org/en/stable/reference/pages/panels.html#wagtail.admin.panels.FieldPanel.permission","reference_id":"panels.html#wagtail.admin.panels.FieldPanel.permission","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T13:08:02Z/"}],"url":"https://docs.wagtail.org/en/stable/reference/pages/panels.html#wagtail.admin.panels.FieldPanel.permission"},{"reference_url":"https://docs.wagtail.org/en/stable/reference/contrib/settings.html","reference_id":"settings.html","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T13:08:02Z/"}],"url":"https://docs.wagtail.org/en/stable/reference/contrib/settings.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30838?format=json","purl":"pkg:pypi/wagtail@6.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-et9z-2d6h-zbgs"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/84305?format=json","purl":"pkg:pypi/wagtail@6.1rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.1rc1"}],"aliases":["CVE-2024-32882","GHSA-w2v8-php4-p8hc"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-99z5-t38m-fkes"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.0.3"}