Description
Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.
Published: 2026-03-05
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting that can execute arbitrary JavaScript in privileged user contexts
Action: Patch Now
AI Analysis

Impact

Wagtail CMS contains a stored cross‑site scripting flaw in the TableBlock class attribute handling. A content editor with permission to create or edit pages can insert specially crafted class names that are rendered without proper escaping, allowing arbitrary JavaScript to run when the page is viewed. If the page is accessed by a user with higher privileges, the injected script may perform actions using that user’s credentials.

Affected Systems

All Wagtail installations using TableBlock and running versions earlier than 6.3.8, 7.0.6, 7.2.3, or 7.3.1 are affected. The vulnerability is limited to sites that employ TableBlock blocks within StreamField content.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.1 and an EPSS probability of less than 1 %, indicating a moderate severity with a low likelihood of exploitation. It is not listed in the CISA KEV catalog. Exploitation requires access to the Wagtail admin interface and the ability to edit or create TableBlock content; ordinary site visitors cannot exploit it directly. Once injected, the malicious script can potentially act with the privileges of the browsing user, posing the risk of privilege escalation.

Generated by OpenCVE AI on April 17, 2026 at 12:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wagtail to a patched version (6.3.8, 7.0.6, 7.2.3, or 7.3.1).
  • If an upgrade cannot be performed immediately, restrict the use of the TableBlock block to trusted administrators only, disabling it for all other users to prevent further injection.
  • After the upgrade or restriction, audit all existing pages that contain TableBlock blocks and remove any malicious class attributes to eliminate stored XSS payloads.

Generated by OpenCVE AI on April 17, 2026 at 12:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p5cm-246w-84jm Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes
History

Mon, 09 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Torchbox
Torchbox wagtail
CPEs cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*
cpe:2.3:a:torchbox:wagtail:7.3:-:*:*:*:*:*:*
cpe:2.3:a:torchbox:wagtail:7.3:rc1:*:*:*:*:*:*
Vendors & Products Torchbox
Torchbox wagtail

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wagtail
Wagtail wagtail
Vendors & Products Wagtail
Wagtail wagtail

Thu, 05 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.
Title Wagtail: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Torchbox Wagtail
Wagtail Wagtail
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T18:05:28.611Z

Reserved: 2026-02-25T15:28:40.650Z

Link: CVE-2026-28222

cve-icon Vulnrichment

Updated: 2026-03-06T18:05:25.331Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T20:16:15.277

Modified: 2026-03-09T20:54:53.927

Link: CVE-2026-28222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses