← Retour aux CVEs

CVE-2026-28223

MEDIUM

6.1

Description

Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.

Details CVE

Score CVSS v3.16.1

SeveriteMEDIUM

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisHIGH

Interaction utilisateurREQUIRED

Publie3/5/2026

Derniere modification3/9/2026

Sourcenvd

Observations honeypot0

Produits affectes

torchbox:wagtail

Faiblesses (CWE)

CWE-79

References

https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863(security-advisories@github.com)

https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19(security-advisories@github.com)

https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c(security-advisories@github.com)

https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143(security-advisories@github.com)

https://github.com/wagtail/wagtail/releases/tag/v6.3.8(security-advisories@github.com)

https://github.com/wagtail/wagtail/releases/tag/v7.0.6(security-advisories@github.com)

https://github.com/wagtail/wagtail/releases/tag/v7.2.3(security-advisories@github.com)

https://github.com/wagtail/wagtail/releases/tag/v7.3.1(security-advisories@github.com)

https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq(security-advisories@github.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.