Reflected XSS Vulnerability in Wagtail CMS by Wagtail
CVE-2026-54263
7.3HIGH
What is CVE-2026-54263?
A reflected cross-site scripting vulnerability exists in the Wagtail CMS, specifically in the dynamic image URL generator within the admin interface. This flaw allows limited-permission editors to create malicious URLs. When these URLs are accessed by users with higher privileges, it can lead to unauthorized actions executed with those users' credentials. This vulnerability affects all Wagtail sites, irrespective of whether the dynamic image serving feature is active. Users should upgrade to versions 7.0.8, 7.3.3, and 7.4.2 to mitigate this risk.
Affected Version(s)
wagtail < 7.0.8 < 7.0.8
wagtail >= 7.1.0, < 7.3.3 < 7.1.0, 7.3.3
wagtail >= 7.4.0, < 7.4.2 < 7.4.0, 7.4.2
