Stored Cross-Site Scripting Vulnerability in Wagtail Content Management System
CVE-2026-28222

6.1MEDIUM

Key Information:

Vendor

Wagtail

Status
Wagtail
Vendor
CVE Published:
5 March 2026

What is CVE-2026-28222?

Wagtail, an open-source content management system built on Django, has a vulnerability affecting the rendering of TableBlock StreamField blocks. Prior to multiple patched versions, users with page creation or editing access could exploit this flaw by inserting arbitrary JavaScript code through specially-crafted class attributes. When such a page is viewed by a user holding higher privileges, it allows unauthorized actions under that user's credentials. This vulnerability requires access to the Wagtail admin interface and specifically impacts sites utilizing TableBlock, emphasizing the importance of upgrading to the latest versions to maintain secure operations.

Affected Version(s)

wagtail < 6.3.8 < 6.3.8

wagtail >= 6.4rc1, < 7.0.6 < 6.4rc1, 7.0.6

wagtail >= 7.1rc1, < 7.2.3 < 7.1rc1, 7.2.3

References

https://github.com/wagtail/wagtail/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/wagtail/wagtail/commit/0375094bb57ce6e...
x_refsource_MISC
https://github.com/wagtail/wagtail/commit/4620423cb22c525...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.