Karen Tracey

**Name of the Vulnerable Software and Affected Versions** Wagtail versions 2.13 through 2.13.1 Wagtail versions 2.12 through 2.12.4 Wagtail versions prior to 2.11.8 **Description** A cross-site scripting issue exists when the `{% include block %}` template tag is used to output the value of a plain-text StreamField block, such as `CharBlock` or `TextBlock`, without a specified template for rendering. This could allow users to insert arbitrary HTML or scripting, but it is only exploitable by users with 'editor' access to the Wagtail admin. **Recommendations** For Wagtail versions 2.13 through 2.13.1, update to version 2.13.2. For Wagtail versions 2.12 through 2.12.4, update to version 2.12.5. For Wagtail versions prior to 2.11.8, update to version 2.11.8. As a temporary workaround for sites unable to upgrade, audit the use of `{% include block %}` to ensure it is not used to output `CharBlock` / `TextBlock` values with no associated template, and consider replacing the tag with Django's `{{ ... }}` syntax.