PT-2026-54840 · Wagtail · Wagtail
Thibaudcolas
·
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-54263
CVSS v3.1
7.3
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Wagtail versions prior to 7.0.8
Wagtail versions prior to 7.3.3
Wagtail versions prior to 7.4.2
Description
A reflected cross-site scripting (XSS) issue exists in the dynamic image URL generator view within the admin interface. An attacker with limited-permission editor credentials can craft a malicious URL that, if accessed by a user with higher privileges, allows the execution of actions using those elevated credentials. This issue affects all sites regardless of whether the dynamic image serve view is enabled and cannot be exploited by visitors who lack admin access.
Recommendations
Update to version 7.0.8.
Update to version 7.3.3.
Update to version 7.4.2.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wagtail