SB2026061602 - Multiple vulnerabilities in wagtail



SB2026061602 - Multiple vulnerabilities in wagtail

Published: June 16, 2026

Security Bulletin ID SB2026061602
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 vulnerabilities.


1) Improper Handling of Insufficient Permissions or Privileges (CVE-ID: CVE-2026-54259)

CWE-ID: CWE-280 - Improper Handling of Insufficient Permissions or Privileges

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper handling of insufficient permissions or privileges in the Documents and Images chooser chosen endpoint when handling requests for selected items. A remote user can request chosen items they are not permitted to choose to disclose sensitive information.

The issue is only exploitable by a user with access to the Wagtail admin.


2) Resource exhaustion (CVE-ID: CVE-2026-54260)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the image preview view when processing crafted filter specifications. A remote user can submit a purposefully crafted filter specification to cause a denial of service.

The issue is only exploitable through the Wagtail admin interface and is not exploitable by an ordinary site visitor.


3) Improper Handling of Insufficient Permissions or Privileges (CVE-ID: CVE-2026-54261)

CWE-ID: CWE-280 - Improper Handling of Insufficient Permissions or Privileges

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper handling of insufficient permissions or privileges in the image preview endpoint when handling image preview requests. A remote user can request a preview of any image to disclose sensitive information.

The issue is limited to users with access to the Wagtail admin, and the existing data of the image object itself is not exposed.


4) Improper Handling of Insufficient Permissions or Privileges (CVE-ID: CVE-2026-54262)

CWE-ID: CWE-280 - Improper Handling of Insufficient Permissions or Privileges

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper handling of insufficient permissions or privileges in the simple_translation page translation feature when creating page translations. A remote user can create translations for pages they do not have permission to access to disclose sensitive information.

Exploitation requires the "Can submit translation" permission.


5) Cross-site scripting (CVE-ID: CVE-2026-54263)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to perform actions with a victim's credentials.

The vulnerability exists due to cross-site scripting in the dynamic image URL generator view within the Wagtail admin interface when handling a crafted URL. A remote user can craft a malicious URL and trick a higher-privileged user into viewing it to perform actions with a victim's credentials.

The issue is not exploitable by an ordinary site visitor without access to the Wagtail admin.


Remediation

Install update from vendor's website.