Stored Cross-Site Scripting Vulnerability in Wagtail by Torchbox
CVE-2026-28223

6.1MEDIUM

Key Information:

Vendor

Wagtail

Status
Wagtail
Vendor
CVE Published:
5 March 2026

What is CVE-2026-28223?

Wagtail, an open-source content management system built on Django, is susceptible to a stored cross-site scripting (XSS) vulnerability affecting its translation module. Users with admin access can craft page titles containing malicious JavaScript, leading to the execution of arbitrary code when another admin user interacts with the translation feature. This could allow attackers to perform actions under the credentials of the affected user. This vulnerability, which requires admin privileges for exploitation, has been addressed in the latest Wagtail releases. It is crucial for administrators to upgrade to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1 to mitigate this security risk.

Affected Version(s)

wagtail < 6.3.8 < 6.3.8

wagtail >= 6.4rc1, < 7.0.6 < 6.4rc1, 7.0.6

wagtail >= 7.1rc1, < 7.2.3 < 7.1rc1, 7.2.3

References

https://github.com/wagtail/wagtail/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/wagtail/wagtail/commit/1c6f2effed68f4c...
x_refsource_MISC
https://github.com/wagtail/wagtail/commit/ba70244d376a7b1...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.