{"url":"http://public2.vulnerablecode.io/api/packages/64136?format=json","purl":"pkg:pypi/wagtail@1.4.2","type":"pypi","namespace":"","name":"wagtail","version":"1.4.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.0.7","latest_non_vulnerable_version":"7.3.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67858?format=json","vulnerability_id":"VCID-7uqp-knu1-sybq","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44197","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10234","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11896","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44197"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-146.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-146.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44197","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44197"},{"reference_url":"https://github.com/advisories/GHSA-c6wj-9vcj-75pj","reference_id":"GHSA-c6wj-9vcj-75pj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c6wj-9vcj-75pj"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj","reference_id":"GHSA-c6wj-9vcj-75pj","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:52:47Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/93072?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/93073?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44197","GHSA-c6wj-9vcj-75pj","PYSEC-2026-146"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7uqp-knu1-sybq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69261?format=json","vulnerability_id":"VCID-feyw-n44z-cuc9","summary":"Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the \"Translate\" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28223","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13925","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.14042","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28223"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863","reference_id":"1c6f2effed68f4ccad6fbd07987e03641505f863","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863"},{"reference_url":"https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19","reference_id":"ba70244d376a7b1bd180ded03e827917ff410c19","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28223","reference_id":"CVE-2026-28223","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28223"},{"reference_url":"https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c","reference_id":"d8c5900982df8ed5938ad993aa9ff69cda50f80c","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c"},{"reference_url":"https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143","reference_id":"ee39d39deeb7f250fe886417b24802d7e05b1143","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143"},{"reference_url":"https://github.com/advisories/GHSA-p4v8-rw59-93cq","reference_id":"GHSA-p4v8-rw59-93cq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p4v8-rw59-93cq"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq","reference_id":"GHSA-p4v8-rw59-93cq","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8","reference_id":"v6.3.8","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6","reference_id":"v7.0.6","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3","reference_id":"v7.2.3","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1","reference_id":"v7.3.1","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T10:39:12Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40103?format=json","purl":"pkg:pypi/wagtail@6.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/40101?format=json","purl":"pkg:pypi/wagtail@7.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/40099?format=json","purl":"pkg:pypi/wagtail@7.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/40100?format=json","purl":"pkg:pypi/wagtail@7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.1"}],"aliases":["CVE-2026-28223","GHSA-p4v8-rw59-93cq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-feyw-n44z-cuc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218348?format=json","vulnerability_id":"VCID-kqwq-kfbc-p3gk","summary":"Wagtail is an open source content management system built on Django. A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. Patched versions have been released as Wagtail 4.1.8 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45809","reference_id":"","reference_type":"","scores":[{"value":"0.00232","scoring_system":"epss","scoring_elements":"0.46279","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00232","scoring_system":"epss","scoring_elements":"0.46135","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45809"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-219.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-219.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/0bacd29473107d9d7f5b723a15a683449679756d","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/0bacd29473107d9d7f5b723a15a683449679756d"},{"reference_url":"https://github.com/wagtail/wagtail/commit/2231f462c75dfe84307fb40577e8c2109a23b27e","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/2231f462c75dfe84307fb40577e8c2109a23b27e"},{"reference_url":"https://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v4.1.9","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v4.1.9"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v5.0.5","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v5.0.5"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v5.1.3","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v5.1.3"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45809","reference_id":"","reference_type":"","scores":[{"value":"2.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45809"},{"reference_url":"https://github.com/advisories/GHSA-fc75-58r8-rm3h","reference_id":"GHSA-fc75-58r8-rm3h","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fc75-58r8-rm3h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79543?format=json","purl":"pkg:pypi/wagtail@4.1.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.1.9"},{"url":"http://public2.vulnerablecode.io/api/packages/75455?format=json","purl":"pkg:pypi/wagtail@4.2rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.2rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/79544?format=json","purl":"pkg:pypi/wagtail@5.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@5.0.5"},{"url":"http://public2.vulnerablecode.io/api/packages/84293?format=json","purl":"pkg:pypi/wagtail@5.1rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@5.1rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/79545?format=json","purl":"pkg:pypi/wagtail@5.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@5.1.3"}],"aliases":["CVE-2023-45809","GHSA-fc75-58r8-rm3h","PYSEC-2023-219"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kqwq-kfbc-p3gk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67766?format=json","vulnerability_id":"VCID-mcfk-qckt-eug8","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44201","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02019","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02554","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44201"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-150.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-150.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44201","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44201"},{"reference_url":"https://github.com/advisories/GHSA-p5gm-92h4-6pv6","reference_id":"GHSA-p5gm-92h4-6pv6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p5gm-92h4-6pv6"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6","reference_id":"GHSA-p5gm-92h4-6pv6","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:45:22Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/93072?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/93073?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44201","GHSA-p5gm-92h4-6pv6","PYSEC-2026-150"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mcfk-qckt-eug8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/204755?format=json","vulnerability_id":"VCID-n376-vr5v-c7hh","summary":"Potential Observable Timing Discrepancy in Wagtail","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11037","reference_id":"","reference_type":"","scores":[{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16874","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16724","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11037"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-153.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N"},{"value":"4.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-153.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N"},{"value":"4.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/3c030490ed575bb9cd01dfb3a890477dcaeb2edf","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N"},{"value":"4.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/3c030490ed575bb9cd01dfb3a890477dcaeb2edf"},{"reference_url":"https://github.com/wagtail/wagtail/commit/b76ab57ee859732b9cf9287d380493ab24061090","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N"},{"value":"4.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/b76ab57ee859732b9cf9287d380493ab24061090"},{"reference_url":"https://github.com/wagtail/wagtail/commit/ba9d424bd1ca5ce1910d3de74f5cc07214fbfb11","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N"},{"value":"4.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/ba9d424bd1ca5ce1910d3de74f5cc07214fbfb11"},{"reference_url":"https://github.com/wagtail/wagtail/commit/bac3cd0a26b023e595cf2959aae7da15bb5e4340","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N"},{"value":"4.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/bac3cd0a26b023e595cf2959aae7da15bb5e4340"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11037","reference_id":"CVE-2020-11037","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N"},{"value":"4.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11037"},{"reference_url":"https://github.com/advisories/GHSA-jjjr-3jcw-f8v6","reference_id":"GHSA-jjjr-3jcw-f8v6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jjjr-3jcw-f8v6"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6","reference_id":"GHSA-jjjr-3jcw-f8v6","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-jjjr-3jcw-f8v6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16432?format=json","purl":"pkg:pypi/wagtail@2.7.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-rvs7-5u4q-gyfz"},{"vulnerability":"VCID-sgr3-pxdc-p7fa"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-tprz-998x-rfch"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"},{"vulnerability":"VCID-z3a5-fe5t-eka3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.7.3"},{"url":"http://public2.vulnerablecode.io/api/packages/16434?format=json","purl":"pkg:pypi/wagtail@2.8.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-rvs7-5u4q-gyfz"},{"vulnerability":"VCID-sgr3-pxdc-p7fa"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-tprz-998x-rfch"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"},{"vulnerability":"VCID-z3a5-fe5t-eka3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.8.2"},{"url":"http://public2.vulnerablecode.io/api/packages/16431?format=json","purl":"pkg:pypi/wagtail@2.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-rvs7-5u4q-gyfz"},{"vulnerability":"VCID-sgr3-pxdc-p7fa"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-tprz-998x-rfch"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"},{"vulnerability":"VCID-z3a5-fe5t-eka3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.9"}],"aliases":["CVE-2020-11037","GHSA-jjjr-3jcw-f8v6","PYSEC-2020-153"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n376-vr5v-c7hh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67645?format=json","vulnerability_id":"VCID-r4v4-7425-yqgd","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44198","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09019","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.1057","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44198"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-147.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-147.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44198","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44198"},{"reference_url":"https://github.com/advisories/GHSA-c4mr-889m-vgf6","reference_id":"GHSA-c4mr-889m-vgf6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c4mr-889m-vgf6"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6","reference_id":"GHSA-c4mr-889m-vgf6","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:53:32Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/93072?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/93073?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44198","GHSA-c4mr-889m-vgf6","PYSEC-2026-147"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r4v4-7425-yqgd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/205047?format=json","vulnerability_id":"VCID-rvs7-5u4q-gyfz","summary":"Cross-Site Scripting in Wagtail","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15118","reference_id":"","reference_type":"","scores":[{"value":"0.00595","scoring_system":"epss","scoring_elements":"0.69893","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00595","scoring_system":"epss","scoring_elements":"0.69802","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15118"},{"reference_url":"https://docs.djangoproject.com/en/3.0/ref/models/fields/#django.db.models.Field.help_text","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.djangoproject.com/en/3.0/ref/models/fields/#django.db.models.Field.help_text"},{"reference_url":"https://docs.wagtail.io/en/stable/reference/contrib/forms/index.html#usage","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://docs.wagtail.io/en/stable/reference/contrib/forms/index.html#usage"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-154.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2020-154.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/blob/master/docs/releases/2.9.3.rst","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/blob/master/docs/releases/2.9.3.rst"},{"reference_url":"https://github.com/wagtail/wagtail/commit/d9a41e7f24d08c024acc9a3094940199df94db34","reference_id":"","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/d9a41e7f24d08c024acc9a3094940199df94db34"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15118","reference_id":"CVE-2020-15118","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15118"},{"reference_url":"https://github.com/advisories/GHSA-2473-9hgq-j7xw","reference_id":"GHSA-2473-9hgq-j7xw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2473-9hgq-j7xw"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-2473-9hgq-j7xw","reference_id":"GHSA-2473-9hgq-j7xw","reference_type":"","scores":[{"value":"5.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-2473-9hgq-j7xw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/16759?format=json","purl":"pkg:pypi/wagtail@2.7.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-sgr3-pxdc-p7fa"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-tprz-998x-rfch"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"},{"vulnerability":"VCID-z3a5-fe5t-eka3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.7.4"},{"url":"http://public2.vulnerablecode.io/api/packages/16760?format=json","purl":"pkg:pypi/wagtail@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-sgr3-pxdc-p7fa"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-tprz-998x-rfch"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"},{"vulnerability":"VCID-z3a5-fe5t-eka3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.9.3"}],"aliases":["CVE-2020-15118","GHSA-2473-9hgq-j7xw","PYSEC-2020-154"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rvs7-5u4q-gyfz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218132?format=json","vulnerability_id":"VCID-sgr3-pxdc-p7fa","summary":"Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29434","reference_id":"","reference_type":"","scores":[{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51046","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00274","scoring_system":"epss","scoring_elements":"0.51176","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-29434"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-114.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-114.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/5c7a60977cba478f6a35390ba98cffc2bd41c8a4","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/5c7a60977cba478f6a35390ba98cffc2bd41c8a4"},{"reference_url":"https://github.com/wagtail/wagtail/commit/915f6ed2bd7d53154103cc4424a0f18695cdad6c","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/commit/915f6ed2bd7d53154103cc4424a0f18695cdad6c"},{"reference_url":"https://github.com/wagtail/wagtail/compare/v2.11.6...v2.11.7","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/compare/v2.11.6...v2.11.7"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29434","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29434"},{"reference_url":"https://pypi.org/project/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"8.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://pypi.org/project/wagtail"},{"reference_url":"https://pypi.org/project/wagtail/","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.org/project/wagtail/"},{"reference_url":"https://github.com/advisories/GHSA-wq5h-f9p5-q7fx","reference_id":"GHSA-wq5h-f9p5-q7fx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wq5h-f9p5-q7fx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64170?format=json","purl":"pkg:pypi/wagtail@2.11.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-sgr3-pxdc-p7fa"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-tprz-998x-rfch"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"},{"vulnerability":"VCID-z3a5-fe5t-eka3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.11.6"},{"url":"http://public2.vulnerablecode.io/api/packages/64175?format=json","purl":"pkg:pypi/wagtail@2.11.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-tprz-998x-rfch"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"},{"vulnerability":"VCID-z3a5-fe5t-eka3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.11.7"},{"url":"http://public2.vulnerablecode.io/api/packages/64176?format=json","purl":"pkg:pypi/wagtail@2.12.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-tprz-998x-rfch"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"},{"vulnerability":"VCID-z3a5-fe5t-eka3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.12.4"}],"aliases":["CVE-2021-29434","GHSA-wq5h-f9p5-q7fx","PYSEC-2021-114"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sgr3-pxdc-p7fa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67759?format=json","vulnerability_id":"VCID-t8am-3wuh-6ka2","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44200","reference_id":"","reference_type":"","scores":[{"value":"0.00027","scoring_system":"epss","scoring_elements":"0.08198","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09612","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44200"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-149.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-149.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44200","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44200"},{"reference_url":"https://github.com/advisories/GHSA-67rv-mg8q-5pf3","reference_id":"GHSA-67rv-mg8q-5pf3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-67rv-mg8q-5pf3"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3","reference_id":"GHSA-67rv-mg8q-5pf3","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:54:04Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/93072?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/93073?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44200","GHSA-67rv-mg8q-5pf3","PYSEC-2026-149"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t8am-3wuh-6ka2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/134072?format=json","vulnerability_id":"VCID-tprz-998x-rfch","summary":"Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash of denial of service.\n\nThe vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents.\n\nImage uploads are restricted to 10MB by default, however this validation only happens on the frontend and on the backend after the vulnerable code. \n\nPatched versions have been released as Wagtail 4.1.4 and Wagtail 4.2.2). Site owners who are unable to upgrade to the new versions are encouraged to add extra protections outside of Wagtail to limit the size of uploaded files.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28837","reference_id":"","reference_type":"","scores":[{"value":"0.013","scoring_system":"epss","scoring_elements":"0.80208","published_at":"2026-06-12T12:55:00Z"},{"value":"0.013","scoring_system":"epss","scoring_elements":"0.80146","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-28837"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-56.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-56.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28837","reference_id":"","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28837"},{"reference_url":"https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880","reference_id":"3c0c64642b9e5b8d28b111263c7f4bddad6c3880","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/commit/3c0c64642b9e5b8d28b111263c7f4bddad6c3880"},{"reference_url":"https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165","reference_id":"c9d2fcd650a88d76ae122646142245e5927a9165","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/commit/c9d2fcd650a88d76ae122646142245e5927a9165"},{"reference_url":"https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf","reference_id":"cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/commit/cfa11bbe00dbe7ce8cd4c0bbfe2a898a690df2bf"},{"reference_url":"https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a","reference_id":"d4022310cbe497993459c3136311467c7ac6329a","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/commit/d4022310cbe497993459c3136311467c7ac6329a"},{"reference_url":"https://github.com/advisories/GHSA-33pv-vcgh-jfg9","reference_id":"GHSA-33pv-vcgh-jfg9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-33pv-vcgh-jfg9"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9","reference_id":"GHSA-33pv-vcgh-jfg9","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-33pv-vcgh-jfg9"},{"reference_url":"https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size","reference_id":"settings.html#wagtailimages-max-upload-size","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v4.1.4","reference_id":"v4.1.4","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v4.1.4"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v4.2.2","reference_id":"v4.2.2","reference_type":"","scores":[{"value":"4.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"5.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:36:47Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v4.2.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/75454?format=json","purl":"pkg:pypi/wagtail@4.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.1.4"},{"url":"http://public2.vulnerablecode.io/api/packages/75455?format=json","purl":"pkg:pypi/wagtail@4.2rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.2rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/75453?format=json","purl":"pkg:pypi/wagtail@4.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@4.2.2"}],"aliases":["CVE-2023-28837","GHSA-33pv-vcgh-jfg9","PYSEC-2023-56"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tprz-998x-rfch"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69146?format=json","vulnerability_id":"VCID-w5jh-4xaa-qyg2","summary":"Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28222","reference_id":"","reference_type":"","scores":[{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29493","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.2969","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28222"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d","reference_id":"0375094bb57ce6e527005c2bb2e871dd20bca04d","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d"},{"reference_url":"https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e","reference_id":"4620423cb22c5253391a0f04178089c1162f6e2e","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e"},{"reference_url":"https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85","reference_id":"575c0d7c18c7716ed73f7a3c2720ad75956f0a85","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85"},{"reference_url":"https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b","reference_id":"605a5569686565e035313222e1bc2f9802fbc55b","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28222","reference_id":"CVE-2026-28222","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28222"},{"reference_url":"https://github.com/advisories/GHSA-p5cm-246w-84jm","reference_id":"GHSA-p5cm-246w-84jm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p5cm-246w-84jm"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm","reference_id":"GHSA-p5cm-246w-84jm","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8","reference_id":"v6.3.8","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6","reference_id":"v7.0.6","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3","reference_id":"v7.2.3","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1","reference_id":"v7.3.1","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40103?format=json","purl":"pkg:pypi/wagtail@6.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/40101?format=json","purl":"pkg:pypi/wagtail@7.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/40099?format=json","purl":"pkg:pypi/wagtail@7.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/40100?format=json","purl":"pkg:pypi/wagtail@7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.1"}],"aliases":["CVE-2026-28222","GHSA-p5cm-246w-84jm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w5jh-4xaa-qyg2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68053?format=json","vulnerability_id":"VCID-wwur-1fuu-yka1","summary":"Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44199","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09491","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.1109","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44199"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-148.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2026-148.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44199","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44199"},{"reference_url":"https://github.com/advisories/GHSA-pwm3-7fv4-g6xx","reference_id":"GHSA-pwm3-7fv4-g6xx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pwm3-7fv4-g6xx"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx","reference_id":"GHSA-pwm3-7fv4-g6xx","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:22:48Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/93072?format=json","purl":"pkg:pypi/wagtail@7.0.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.7"},{"url":"http://public2.vulnerablecode.io/api/packages/93073?format=json","purl":"pkg:pypi/wagtail@7.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.2"}],"aliases":["CVE-2026-44199","GHSA-pwm3-7fv4-g6xx","PYSEC-2026-148"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wwur-1fuu-yka1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65665?format=json","vulnerability_id":"VCID-yu3w-ev5z-uuhc","summary":"Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25517","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.02997","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03009","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25517"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.6","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.6"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.4","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.4"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.1.3","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.1.3"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.2","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.2"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.3","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.3"},{"reference_url":"https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719","reference_id":"01fd3477365a193e6a8270311defb76e890d2719","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/"}],"url":"https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719"},{"reference_url":"https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f","reference_id":"5f09b6da61e779b0e8499bdbba52bf2f7bd3241f","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/"}],"url":"https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f"},{"reference_url":"https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190","reference_id":"73f070dbefbd3b39ea6649ce36bd2d2a6eef2190","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/"}],"url":"https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190"},{"reference_url":"https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915","reference_id":"7dfe8de5f8b3f112c73c87b6729197db16454915","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/"}],"url":"https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25517","reference_id":"CVE-2026-25517","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25517"},{"reference_url":"https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03","reference_id":"dd824023a031f1b82a6b6f83a97a5c73391b7c03","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/"}],"url":"https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03"},{"reference_url":"https://github.com/advisories/GHSA-4qvv-g3vr-m348","reference_id":"GHSA-4qvv-g3vr-m348","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4qvv-g3vr-m348"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348","reference_id":"GHSA-4qvv-g3vr-m348","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:11Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38667?format=json","purl":"pkg:pypi/wagtail@6.3.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.6"},{"url":"http://public2.vulnerablecode.io/api/packages/38665?format=json","purl":"pkg:pypi/wagtail@7.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/38662?format=json","purl":"pkg:pypi/wagtail@7.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/38671?format=json","purl":"pkg:pypi/wagtail@7.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.2"},{"url":"http://public2.vulnerablecode.io/api/packages/38658?format=json","purl":"pkg:pypi/wagtail@7.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3"}],"aliases":["CVE-2026-25517","GHSA-4qvv-g3vr-m348"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yu3w-ev5z-uuhc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/218168?format=json","vulnerability_id":"VCID-z3a5-fe5t-eka3","summary":"Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with 'editor' access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django's `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32681","reference_id":"","reference_type":"","scores":[{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.53118","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00294","scoring_system":"epss","scoring_elements":"0.53245","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32681"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-103.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2021-103.yaml"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v2.11.8","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v2.11.8"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v2.12.5","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v2.12.5"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v2.13.2","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/releases/tag/v2.13.2"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32681","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32681"},{"reference_url":"https://github.com/advisories/GHSA-xfrw-hxr5-ghqf","reference_id":"GHSA-xfrw-hxr5-ghqf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xfrw-hxr5-ghqf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65380?format=json","purl":"pkg:pypi/wagtail@2.11.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-tprz-998x-rfch"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.11.8"},{"url":"http://public2.vulnerablecode.io/api/packages/75417?format=json","purl":"pkg:pypi/wagtail@2.12rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-tprz-998x-rfch"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.12rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/65381?format=json","purl":"pkg:pypi/wagtail@2.12.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-tprz-998x-rfch"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.12.5"},{"url":"http://public2.vulnerablecode.io/api/packages/75419?format=json","purl":"pkg:pypi/wagtail@2.13rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-tprz-998x-rfch"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.13rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/65382?format=json","purl":"pkg:pypi/wagtail@2.13.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7uqp-knu1-sybq"},{"vulnerability":"VCID-cjcd-dc6y-27gb"},{"vulnerability":"VCID-feyw-n44z-cuc9"},{"vulnerability":"VCID-gmht-envk-pbd8"},{"vulnerability":"VCID-kqwq-kfbc-p3gk"},{"vulnerability":"VCID-mcfk-qckt-eug8"},{"vulnerability":"VCID-pdza-s2q4-cbe2"},{"vulnerability":"VCID-r4v4-7425-yqgd"},{"vulnerability":"VCID-t8am-3wuh-6ka2"},{"vulnerability":"VCID-tprz-998x-rfch"},{"vulnerability":"VCID-w5jh-4xaa-qyg2"},{"vulnerability":"VCID-wwur-1fuu-yka1"},{"vulnerability":"VCID-yu3w-ev5z-uuhc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@2.13.2"}],"aliases":["CVE-2021-32681","GHSA-xfrw-hxr5-ghqf","PYSEC-2021-103"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z3a5-fe5t-eka3"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@1.4.2"}