{"url":"http://public2.vulnerablecode.io/api/packages/49170?format=json","purl":"pkg:pypi/wagtail@6.3.8","type":"pypi","namespace":"","name":"wagtail","version":"6.3.8","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.0.7","latest_non_vulnerable_version":"7.3.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9658?format=json","vulnerability_id":"VCID-12d4-1bj5-2yb5","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44199","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09514","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44199"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:22:48Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44199","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44199"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49195?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/49196?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44199","GHSA-pwm3-7fv4-g6xx","PYSEC-2026-148"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-12d4-1bj5-2yb5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9657?format=json","vulnerability_id":"VCID-2upt-d3sg-ebea","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44198","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09075","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44198"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:53:32Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44198","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44198"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49195?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/49196?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44198","GHSA-c4mr-889m-vgf6","PYSEC-2026-147"],"risk_score":1.9,"exploitability":"0.5","weighted_severity":"3.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2upt-d3sg-ebea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9656?format=json","vulnerability_id":"VCID-5p3e-kwee-ukfr","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44197","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10242","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44197"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:52:47Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44197","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44197"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49195?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/49196?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44197","GHSA-c6wj-9vcj-75pj","PYSEC-2026-146"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5p3e-kwee-ukfr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9660?format=json","vulnerability_id":"VCID-qf1m-zu2w-dbds","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44201","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02074","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44201"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:45:22Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44201","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44201"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49195?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/49196?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44201","GHSA-p5gm-92h4-6pv6","PYSEC-2026-150"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qf1m-zu2w-dbds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9659?format=json","vulnerability_id":"VCID-yvjp-hx9y-mkgf","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44200","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08279","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44200"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:54:04Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44200","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44200"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49195?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/49196?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44200","GHSA-67rv-mg8q-5pf3","PYSEC-2026-149"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"5.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yvjp-hx9y-mkgf"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22963?format=json","vulnerability_id":"VCID-672q-fuy3-yqd1","summary":"Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface\nA stored Cross-site Scripting (XSS) vulnerability exists on confirmation messages within the `wagtail.contrib.simple_translation` module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the \"Translate\" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28223","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.1391","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28223"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863"},{"reference_url":"https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19"},{"reference_url":"https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c"},{"reference_url":"https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28223","reference_id":"CVE-2026-28223","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28223"},{"reference_url":"https://github.com/advisories/GHSA-p4v8-rw59-93cq","reference_id":"GHSA-p4v8-rw59-93cq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p4v8-rw59-93cq"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq","reference_id":"GHSA-p4v8-rw59-93cq","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49170?format=json","purl":"pkg:pypi/wagtail@6.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/49182?format=json","purl":"pkg:pypi/wagtail@7.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/49191?format=json","purl":"pkg:pypi/wagtail@7.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/49194?format=json","purl":"pkg:pypi/wagtail@7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.1"}],"aliases":["CVE-2026-28223","GHSA-p4v8-rw59-93cq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-672q-fuy3-yqd1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22964?format=json","vulnerability_id":"VCID-prth-nf4k-nqe5","summary":"Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes\nA stored Cross-site Scripting (XSS) vulnerability exists on rendering `TableBlock` blocks within a StreamField. A user with access to create or edit pages containing `TableBlock` StreamField blocks is able to set specially-crafted `class` attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28222","reference_id":"","reference_type":"","scores":[{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29604","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28222"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d"},{"reference_url":"https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e"},{"reference_url":"https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85"},{"reference_url":"https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28222","reference_id":"CVE-2026-28222","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28222"},{"reference_url":"https://github.com/advisories/GHSA-p5cm-246w-84jm","reference_id":"GHSA-p5cm-246w-84jm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p5cm-246w-84jm"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm","reference_id":"GHSA-p5cm-246w-84jm","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49170?format=json","purl":"pkg:pypi/wagtail@6.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/49182?format=json","purl":"pkg:pypi/wagtail@7.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/49191?format=json","purl":"pkg:pypi/wagtail@7.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/49194?format=json","purl":"pkg:pypi/wagtail@7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.1"}],"aliases":["CVE-2026-28222","GHSA-p5cm-246w-84jm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-prth-nf4k-nqe5"}],"risk_score":"3.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.8"}