Main Vulnerability Database Vulnerabilities #VU130198

Improper Handling of Insufficient Permissions or Privileges in wagtail - #VU130198

Published: May 5, 2026

Vulnerability identifier: #VU130198

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-280

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Torchbox

Affected software:
wagtail

Detailed vulnerability description

The vulnerability allows a remote user to delete form submissions on unauthorized form pages.

The vulnerability exists due to improper handling of insufficient permissions or privileges in form submission deletion handling when processing crafted deletion requests through the Wagtail admin. A remote user can craft a form submission to delete submissions for form pages they do not have access to in order to delete form submissions on unauthorized form pages.

The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Remediation

Install security update from vendor's website.

Sources

https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx

Improper Handling of Insufficient Permissions or Privileges in wagtail - #VU130198

Detailed vulnerability description

Remediation

Sources

Please verify you're human