CVE-2026-28222

MEDIUM EPSS 33.5%
Published Mar 5, 20263mo ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Mar 5, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.

CVSS Details

Base Score
6.1
Exploitability
0.9
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
33.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 5

VendorProductVersionRange
torchboxwagtail* <6.3.8
torchboxwagtail*≥6.4  –  <7.0.6
torchboxwagtail*≥7.1  –  <7.2.3
torchboxwagtail7.3any
torchboxwagtail7.3any

References 9

  • github.com https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d
    Patch
  • github.com https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e
    Patch
  • github.com https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85
    Patch
  • github.com https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b
    Patch
  • github.com https://github.com/wagtail/wagtail/releases/tag/v6.3.8
    ProductRelease Notes
  • github.com https://github.com/wagtail/wagtail/releases/tag/v7.0.6
    ProductRelease Notes
  • github.com https://github.com/wagtail/wagtail/releases/tag/v7.2.3
    ProductRelease Notes
  • github.com https://github.com/wagtail/wagtail/releases/tag/v7.3.1
    ProductRelease Notes
  • github.com https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm
    MitigationVendor Advisory

Remediation

  • github.com https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d
    Patch
  • github.com https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e
    Patch
  • github.com https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85
    Patch
  • github.com https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b
    Patch