Security Flaw in Wagtail CMS by Wagtail
CVE-2026-54259

4.3MEDIUM

Key Information:

Vendor

Wagtail

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-54259?

In Wagtail CMS versions prior to 7.0.8, 7.3.3, and 7.4.2, an improper access control vulnerability allows admin users to view filenames, names, and URLs of documents and images that are not authorized for their access. Although this security issue cannot be exploited by regular site visitors lacking admin privileges, it poses a risk for data confidentiality within the platform. Users are advised to update their installations to the latest versions to mitigate this vulnerability.

Affected Version(s)

wagtail < 7.0.8 < 7.0.8

wagtail >= 7.1.0, < 7.3.3 < 7.1.0, 7.3.3

wagtail >= 7.4.0, < 7.4.2 < 7.4.0, 7.4.2

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.