Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-cfkh-sdk4-3uan
Vulnerability ID VCID-cfkh-sdk4-3uan
Aliases CVE-2021-29434
GHSA-wq5h-f9p5-q7fx
PYSEC-2021-114
Summary Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with `javascript:` URLs containing arbitrary code. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. See referenced GitHub advisory for additional details, including a workaround. Patched versions have been released as Wagtail 2.11.7 (for the LTS 2.11 branch) and Wagtail 2.12.4 (for the current 2.12 branch).
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.00274 https://api.first.org/data/v1/epss?cve=CVE-2021-29434
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2021-29434
https://github.com/wagtail/wagtail/security/advisories/GHSA-wq5h-f9p5-q7fx
https://pypi.org/project/wagtail/
No exploits are available.
There are no known vectors.
Exploit Prediction Scoring System (EPSS)
Percentile 0.50921
EPSS Score 0.00274
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:22:41.130600+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2021-114.yaml 38.6.0