CVE-2026-28223

EPSS 0.46%
Veröffentlicht 05.03.2026 18:56:41
Zuletzt bearbeitet 09.03.2026 20:54:40
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Wagtail: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface

Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 12

NVD 5 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Torchbox ≫ Wagtail Version < 6.3.8

Torchbox ≫ Wagtail Version >= 6.4 < 7.0.6

Torchbox ≫ Wagtail Version >= 7.1 < 7.2.3

Torchbox ≫ Wagtail Version7.3 Update-

Torchbox ≫ Wagtail Version7.3 Updaterc1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.46%	0.363

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.1	0.9	5.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/wagtail/wagtail/releases/tag/v6.3.8

Product

Release Notes

https://github.com/wagtail/wagtail/releases/tag/v7.0.6

Product

Release Notes

https://github.com/wagtail/wagtail/releases/tag/v7.2.3

Product

Release Notes

https://github.com/wagtail/wagtail/releases/tag/v7.3.1

Product

Release Notes

https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq

Vendor Advisory

https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863

Patch

https://github.com/wagtail/wagtail/commit/ba70244d376a7b1bd180ded03e827917ff410c19

Patch

https://github.com/wagtail/wagtail/commit/d8c5900982df8ed5938ad993aa9ff69cda50f80c

Patch

https://github.com/wagtail/wagtail/commit/ee39d39deeb7f250fe886417b24802d7e05b1143

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-28223

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-28223

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-28223

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-28223