{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22964?format=json","vulnerability_id":"VCID-prth-nf4k-nqe5","summary":"Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes\nA stored Cross-site Scripting (XSS) vulnerability exists on rendering `TableBlock` blocks within a StreamField. A user with access to create or edit pages containing `TableBlock` StreamField blocks is able to set specially-crafted `class` attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock.","aliases":[{"alias":"CVE-2026-28222"},{"alias":"GHSA-p5cm-246w-84jm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49170?format=json","purl":"pkg:pypi/wagtail@6.3.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.3.8"},{"url":"http://public2.vulnerablecode.io/api/packages/49182?format=json","purl":"pkg:pypi/wagtail@7.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.0.6"},{"url":"http://public2.vulnerablecode.io/api/packages/49191?format=json","purl":"pkg:pypi/wagtail@7.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.2.3"},{"url":"http://public2.vulnerablecode.io/api/packages/49194?format=json","purl":"pkg:pypi/wagtail@7.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49171?format=json","purl":"pkg:pypi/wagtail@6.4rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-1dyp-u5tf-mqhh"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-672q-fuy3-yqd1"},{"vulnerability":"VCID-prth-nf4k-nqe5"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@6.4rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/72610?format=json","purl":"pkg:pypi/wagtail@7.1rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1dyp-u5tf-mqhh"},{"vulnerability":"VCID-672q-fuy3-yqd1"},{"vulnerability":"VCID-prth-nf4k-nqe5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.1rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/49192?format=json","purl":"pkg:pypi/wagtail@7.3rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-12d4-1bj5-2yb5"},{"vulnerability":"VCID-1dyp-u5tf-mqhh"},{"vulnerability":"VCID-2upt-d3sg-ebea"},{"vulnerability":"VCID-5p3e-kwee-ukfr"},{"vulnerability":"VCID-672q-fuy3-yqd1"},{"vulnerability":"VCID-prth-nf4k-nqe5"},{"vulnerability":"VCID-qf1m-zu2w-dbds"},{"vulnerability":"VCID-yvjp-hx9y-mkgf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/wagtail@7.3rc1"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28222","reference_id":"","reference_type":"","scores":[{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29604","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28222"},{"reference_url":"https://github.com/wagtail/wagtail","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wagtail/wagtail"},{"reference_url":"https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d"},{"reference_url":"https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e"},{"reference_url":"https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85"},{"reference_url":"https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v6.3.8"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.0.6"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.2.3"},{"reference_url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/releases/tag/v7.3.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28222","reference_id":"CVE-2026-28222","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28222"},{"reference_url":"https://github.com/advisories/GHSA-p5cm-246w-84jm","reference_id":"GHSA-p5cm-246w-84jm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p5cm-246w-84jm"},{"reference_url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm","reference_id":"GHSA-p5cm-246w-84jm","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-06T18:05:22Z/"}],"url":"https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm"}],"weaknesses":[{"cwe_id":79,"name":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","description":"The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-prth-nf4k-nqe5"}