CVE-2026-28223

MEDIUM EPSS 36.5%
Published Mar 5, 20263mo ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Mar 5, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.

CVSS Details

Base Score
6.1
Exploitability
0.9
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
36.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 5

VendorProductVersionRange
torchboxwagtail* <6.3.8
torchboxwagtail*≥6.4  –  <7.0.6
torchboxwagtail*≥7.1  –  <7.2.3
torchboxwagtail7.3any
torchboxwagtail7.3any

References 9

  • github.com https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863
    Patch
  • github.com https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19
    Patch
  • github.com https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c
    Patch
  • github.com https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143
    Patch
  • github.com https://github.com/wagtail/wagtail/releases/tag/v6.3.8
    ProductRelease Notes
  • github.com https://github.com/wagtail/wagtail/releases/tag/v7.0.6
    ProductRelease Notes
  • github.com https://github.com/wagtail/wagtail/releases/tag/v7.2.3
    ProductRelease Notes
  • github.com https://github.com/wagtail/wagtail/releases/tag/v7.3.1
    ProductRelease Notes
  • github.com https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq
    Vendor Advisory

Remediation

  • github.com https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863
    Patch
  • github.com https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19
    Patch
  • github.com https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c
    Patch
  • github.com https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143
    Patch