CVE-2026-28222

MEDIUM

Wagtail <6.3.8/7.0.6/7.2.3/7.3.1 - XSS

Title source: llm
STIX 2.1

Description

Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.

References (9)

Core 9
Core References

Scores

CVSS v3 6.1
EPSS 0.0010
EPSS Percentile 26.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (2)
torchbox/wagtail 7.3 (2 CPE variants)
torchbox/wagtail < 6.3.8
Published Mar 05, 2026
Tracked Since Mar 06, 2026