Reflected XSS Vulnerability in Wagtail CMS by Wagtail
CVE-2026-54263

7.3HIGH

Key Information:

Vendor

Wagtail

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-54263?

A reflected cross-site scripting vulnerability exists in the Wagtail CMS, specifically in the dynamic image URL generator within the admin interface. This flaw allows limited-permission editors to create malicious URLs. When these URLs are accessed by users with higher privileges, it can lead to unauthorized actions executed with those users' credentials. This vulnerability affects all Wagtail sites, irrespective of whether the dynamic image serving feature is active. Users should upgrade to versions 7.0.8, 7.3.3, and 7.4.2 to mitigate this risk.

Affected Version(s)

wagtail < 7.0.8 < 7.0.8

wagtail >= 7.1.0, < 7.3.3 < 7.1.0, 7.3.3

wagtail >= 7.4.0, < 7.4.2 < 7.4.0, 7.4.2

References

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.