Search for vulnerabilities
| Vulnerability ID | VCID-9u79-7g62-23dk |
| Aliases |
CVE-2024-39317
GHSA-jmp3-39vp-fwg8 PYSEC-2024-86 |
| Summary | Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3. |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| epss | 0.00329 | https://api.first.org/data/v1/epss?cve=CVE-2024-39317 |
| cvssv3.1_qr | HIGH | https://github.com/advisories/GHSA-jmp3-39vp-fwg8 |
| cvssv3.1 | 4.9 | https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2 |
| cvssv3.1 | 4.9 | https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797 |
| cvssv3.1 | 4.9 | https://github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2 |
| cvssv3.1 | 4.9 | https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8 |
| cvssv3.1_qr | HIGH | https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8 |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.56125 |
| EPSS Score | 0.00329 |
| Published At | May 30, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-05-30T20:34:44.857516+00:00 | Pypa Importer | Import | https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2024-86.yaml | 38.6.0 |