Main Vulnerability Database Vulnerabilities #VU130195

Missing Authorization in wagtail - CVE-2026-25517

Published: May 5, 2026

Vulnerability identifier: #VU130195

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-25517

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Torchbox

Affected software:
wagtail

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in admin preview endpoints when handling crafted preview form submissions. A remote privileged user can submit a specially crafted form to obtain a preview rendering of page, snippet, or site setting objects and disclose sensitive information.

The issue is limited to users with access to the Wagtail admin, and the existing data of the targeted object itself is not exposed.

How to mitigate CVE-2026-25517

Install security update from vendor's website.

Sources

https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348

Missing Authorization in wagtail - CVE-2026-25517

Detailed vulnerability description

How to mitigate CVE-2026-25517

Sources

Please verify you're human