CVE-2026-25517

Name of the Vulnerable Software and Affected Versions Wagtail versions prior to 6.3.6 Wagtail versions prior to 7.0.4 Wagtail versions prior to 7.1.3 Wagtail versions prior to 7.2.2 Wagtail versions prior to 7.3

Description Wagtail, an open source content management system built on Django, contains an issue due to a missing permission check on the preview endpoints. A user with access to the Wagtail admin and knowledge of a model's fields can construct a form submission to obtain a preview rendering of any page, snippet, or site setting object for which previews are enabled, using data of their choosing. The existing data of the object itself is not exposed, but the rendering process may reveal other database contents accessible only to users with edit access over the model. The issue is not exploitable by ordinary site visitors without Wagtail admin access.

Recommendations Update to Wagtail version 6.3.6 or later. Update to Wagtail version 7.0.4 or later. Update to Wagtail version 7.1.3 or later. Update to Wagtail version 7.2.2 or later. Update to Wagtail version 7.3 or later.