VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-td22-w1m4-dfek

Essentials
Severities (0)
References (4)
Severity details (0)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-td22-w1m4-dfek
Aliases	CVE-2021-32681 GHSA-xfrw-hxr5-ghqf PYSEC-2021-103
Summary	Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`CharBlock`, `TextBlock` or a similar user-defined block derived from `FieldBlock`), and that block does not specify a template for rendering, the tag output is not properly escaped as HTML. This could allow users to insert arbitrary HTML or scripting. This vulnerability is only exploitable by users with the ability to author StreamField content (i.e. users with 'editor' access to the Wagtail admin). Patched versions have been released as Wagtail 2.11.8 (for the LTS 2.11 branch), Wagtail 2.12.5, and Wagtail 2.13.2 (for the current 2.13 branch). As a workaround, site implementors who are unable to upgrade to a current supported version should audit their use of `{% include_block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template. Note that this only applies where `{% include_block %}` is used directly on that block (uses of `include_block` on a block _containing_ a CharBlock / TextBlock, such as a StructBlock, are unaffected). In these cases, the tag can be replaced with Django's `{{ ... }}` syntax - e.g. `{% include_block my_title_block %}` becomes `{{ my_title_block }}`.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (0)

There are no known CWE.

System	Score	Found at
There are no known severity scores.

Reference id	Reference type	URL
		https://github.com/wagtail/wagtail/releases/tag/v2.11.8
		https://github.com/wagtail/wagtail/releases/tag/v2.12.5
		https://github.com/wagtail/wagtail/releases/tag/v2.13.2
		https://github.com/wagtail/wagtail/security/advisories/GHSA-xfrw-hxr5-ghqf

No exploits are available.

There are no known vectors.

No EPSS data available for this vulnerability.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:14:11.480984+00:00	Pypa Importer	Import	https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2021-103.yaml	38.6.0