PT-2026-54840 · Wagtail · Wagtail

Thibaudcolas

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-54263

CVSS v3.1

7.3

High

VectorAV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Wagtail versions prior to 7.0.8 Wagtail versions prior to 7.3.3 Wagtail versions prior to 7.4.2
Description A reflected cross-site scripting (XSS) issue exists in the dynamic image URL generator view within the admin interface. An attacker with limited-permission editor credentials can craft a malicious URL that, if accessed by a user with higher privileges, allows the execution of actions using those elevated credentials. This issue affects all sites regardless of whether the dynamic image serve view is enabled and cannot be exploited by visitors who lack admin access.
Recommendations Update to version 7.0.8. Update to version 7.3.3. Update to version 7.4.2.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54263
PYSEC-2026-616

Affected Products

Wagtail