CVE-2026-28223

Name of the Vulnerable Software and Affected Versions Wagtail versions prior to 6.3.8 Wagtail versions prior to 7.0.6 Wagtail versions prior to 7.2.3 Wagtail versions prior to 7.3.1

Description A stored cross-site scripting (XSS) issue exists within the wagtail.contrib.simple translation module. A user with Wagtail admin access can create a page with a specially crafted title. When another user performs the "Translate" action, this can cause arbitrary JavaScript code to execute, potentially allowing actions to be performed using the other user's credentials. The issue is not exploitable by ordinary site visitors without admin access.

Recommendations Update to Wagtail version 6.3.8 or later. Update to Wagtail version 7.0.6 or later. Update to Wagtail version 7.2.3 or later. Update to Wagtail version 7.3.1 or later.