CVE-2026-28222

Name of the Vulnerable Software and Affected Versions Wagtail versions prior to 6.3.8 Wagtail versions prior to 7.0.6 Wagtail versions prior to 7.2.3 Wagtail versions prior to 7.3.1

Description Wagtail, an open source content management system built on Django, contains a stored cross-site scripting (XSS) issue affecting the rendering of TableBlock blocks within a StreamField. A user with the ability to create or edit pages containing TableBlock StreamField blocks can set specially crafted class attributes on the block. This allows for the execution of arbitrary JavaScript code when the page is viewed. If viewed by a user with elevated privileges, this could potentially lead to actions being performed with those credentials. The issue is not exploitable by ordinary site visitors without access to the Wagtail admin interface and only impacts sites utilizing TableBlock.

Recommendations Wagtail versions prior to 6.3.8 should be upgraded to version 6.3.8 or later. Wagtail versions prior to 7.0.6 should be upgraded to version 7.0.6 or later. Wagtail versions prior to 7.2.3 should be upgraded to version 7.2.3 or later. Wagtail versions prior to 7.3.1 should be upgraded to version 7.3.1 or later. As a temporary workaround, site owners unable to upgrade can remediate the issue by setting a template attribute on all TableBlock definitions, referencing a template that does not output class attributes.