SB20260505113 - Multiple vulnerabilities in wagtail
Published: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Improper Handling of Insufficient Permissions or Privileges (CVE-ID: N/A)
CWE-ID: CWE-280 - Improper Handling of Insufficient Permissions or Privileges
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper handling of insufficient permissions or privileges in the revision compare view when comparing page revisions by primary key. A remote user can supply the primary keys of two revisions to disclose sensitive information.
The issue affects CMS users who do not have permission to edit the page.
2) Improper Handling of Insufficient Permissions or Privileges (CVE-ID: N/A)
CWE-ID: CWE-280 - Improper Handling of Insufficient Permissions or Privileges
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper handling of insufficient permissions or privileges in the page history report when handling page history viewing requests. A remote user can access the history report for a page to disclose sensitive information.
The issue affects CMS users who do not have permission to edit the page.
3) Improper Handling of Insufficient Permissions or Privileges (CVE-ID: N/A)
CWE-ID: CWE-280 - Improper Handling of Insufficient Permissions or Privileges
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete form submissions on unauthorized form pages.
The vulnerability exists due to improper handling of insufficient permissions or privileges in form submission deletion handling when processing crafted deletion requests through the Wagtail admin. A remote user can craft a form submission to delete submissions for form pages they do not have access to in order to delete form submissions on unauthorized form pages.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
4) Improper Handling of Insufficient Permissions or Privileges (CVE-ID: N/A)
CWE-ID: CWE-280 - Improper Handling of Insufficient Permissions or Privileges
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper handling of insufficient permissions or privileges in the Documents and Images API when listing items in private collections. A remote attacker can query the API to disclose sensitive information.
The exposed information is limited to the filename and name of documents and images in private collections.
5) Improper Handling of Insufficient Permissions or Privileges (CVE-ID: N/A)
CWE-ID: CWE-280 - Improper Handling of Insufficient Permissions or Privileges
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper handling of insufficient permissions or privileges in page copy permission checks when copying pages. A remote user can copy a page they cannot access into an area of the site they do control to disclose sensitive information.
The copied page may then become viewable to the user, and it may also be possible to publish it.
Remediation
Install update from vendor's website.
References
- https://github.com/wagtail/wagtail/security/advisories/GHSA-c6wj-9vcj-75pj
- https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6
- https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx
- https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6
- https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3