CVE-2026-44199

MEDIUM

Wagtail: Improper permission handling when deleting form submissions

Title source: cna

Description

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx

Scores

CVSS v3 6.5

EPSS 0.0003

EPSS Percentile 9.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-280

Status published

Products (5)

pypi/wagtail 0 - 7.0.7PyPI

pypi/wagtail 7.1 - 7.3.2PyPI

torchbox/wagtail < 7.0.7

wagtail/wagtail < 7.0.7

wagtail/wagtail >= 7.1, < 7.3.2

Published May 11, 2026

Tracked Since May 11, 2026