Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-12d4-1bj5-2yb5
Vulnerability ID VCID-12d4-1bj5-2yb5
Aliases CVE-2026-44199
GHSA-pwm3-7fv4-g6xx
PYSEC-2026-148
Summary Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
Status Published
Exploitability 0.5
Weighted Severity 5.9
Risk 3.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-280 Improper Handling of Insufficient Permissions or Privileges
System Score Found at
epss 0.00031 https://api.first.org/data/v1/epss?cve=CVE-2026-44199
cvssv3.1 6.5 https://github.com/wagtail/wagtail
generic_textual MODERATE https://github.com/wagtail/wagtail
cvssv3.1 6.5 https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx
generic_textual MODERATE https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx
ssvc Track https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2026-44199
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-44199
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-44199
https://github.com/wagtail/wagtail
https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx
https://nvd.nist.gov/vuln/detail/CVE-2026-44199
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/wagtail/wagtail
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:22:48Z/ Found at https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-44199
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.09514
EPSS Score 0.00031
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:38:28.094309+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2026-148.yaml 38.6.0