Description
Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.
Published: 2026-03-05
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross-site scripting in the admin confirmation messages of Wagtail
Action: Patch Immediately
AI Analysis

Impact

A stored cross‑site scripting flaw exists in Wagtail's simple_translation module. The vulnerability is triggered when an administrator creates a page with a specially‑crafted title that is then displayed in a confirmation message during a translation action. When the message is rendered, the unsanitized title can contain arbitrary JavaScript that executes in the context of the other admin users who view the message, potentially allowing the attacker to perform actions with their credentials.

Affected Systems

Wagtail instances running any 6.x or 7.x release older than 6.3.8, 7.0.6, 7.2.3, or 7.3.1 and that use the wagtail.contrib.simple_translation module are affected. Administrators should verify the installation version and the presence of this module.

Risk and Exploitability

The CVSS score of 6.1 denotes a medium severity. An EPSS score of less than 1% indicates a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The flaw requires access to the admin interface, so it cannot be triggered by a regular site visitor. Nevertheless, any compromised admin account could execute unauthorized code and potentially elevate privileges or tamper with content.

Generated by OpenCVE AI on April 16, 2026 at 12:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Wagtail v6.3.8 or later, including v7.0.6, v7.2.3, or v7.3.1, which contain the patch for the stored XSS issue.
  • Remove or disable the wagtail.contrib.simple_translation feature if it is not required on the site, thereby eliminating the vulnerable code path.
  • Restrict access to the Wagtail admin area to a minimal set of trusted users and enforce strong authentication practices.
  • Deploy a Content Security Policy that blocks inline script execution and limits script sources to trusted origins.

Generated by OpenCVE AI on April 16, 2026 at 12:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p4v8-rw59-93cq Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface
History

Mon, 09 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Torchbox
Torchbox wagtail
CPEs cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*
cpe:2.3:a:torchbox:wagtail:7.3:-:*:*:*:*:*:*
cpe:2.3:a:torchbox:wagtail:7.3:rc1:*:*:*:*:*:*
Vendors & Products Torchbox
Torchbox wagtail

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wagtail
Wagtail wagtail
Vendors & Products Wagtail
Wagtail wagtail

Fri, 06 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.
Title Wagtail: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Torchbox Wagtail
Wagtail Wagtail
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T10:39:42.379Z

Reserved: 2026-02-25T15:28:40.650Z

Link: CVE-2026-28223

cve-icon Vulnrichment

Updated: 2026-03-06T10:39:36.892Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T20:16:15.493

Modified: 2026-03-09T20:54:40.870

Link: CVE-2026-28223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:15:35Z

Weaknesses