CVE-2026-44198
MEDIUMWagtail: Improper permission handling when viewing page history
Title source: cnaDescription
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6
Scores
CVSS v3
4.3
EPSS
0.0003
EPSS Percentile
8.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-280
Status
published
Products (5)
pypi/wagtail
0 - 7.0.7PyPI
pypi/wagtail
7.1 - 7.3.2PyPI
torchbox/wagtail
< 7.0.7
wagtail/wagtail
< 7.0.7
wagtail/wagtail
>= 7.1, < 7.3.2
Published
May 11, 2026
Tracked Since
May 11, 2026