CVE-2026-25517

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-25517
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25517.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25517
Aliases
Published
2026-02-04T20:48:19.160Z
Modified
2026-03-01T02:57:34.273870Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Wagtail has improper permission handling on admin preview endpoints
Details

Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25517.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/wagtail/wagtail

Affected ranges

Type
GIT
Repo
https://github.com/wagtail/wagtail
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
18dddaee3b6fb4af3d3b368f3e2e5ee8a020b765
Last affected
2061a40b9b1c7e181efa9240f566ff7da2da8e33
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.3.6"
        },
        {
            "last_affected": "= 7.3rc1"
        }
    ]
}
Type
GIT
Repo
https://github.com/wagtail/wagtail
Events
Introduced
b7de2007d8d5722bdd6d1384de510eb3a727cc8b
Fixed
ae831dd4c926ee122fe39b0b6c9226c9ebf237b0
Database specific 
{
    "versions": [
        {
            "introduced": "6.4rc1"
        },
        {
            "fixed": "7.0.4"
        }
    ]
}
Type
GIT
Repo
https://github.com/wagtail/wagtail
Events
Introduced
afd8aecc4bd6abec78809825861164255361cdd5
Fixed
119ae0b9acc27cfb2ab27a3b464428ded104f74e
Database specific 
{
    "versions": [
        {
            "introduced": "7.1rc1"
        },
        {
            "fixed": "7.1.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/wagtail/wagtail
Events
Introduced
aed1c25b8b2c76f5d8d1f55a97b6c46204a573a3
Fixed
e1e1783f9cfbe81f80c4f3b6140b0b7cef1a3513
Database specific 
{
    "versions": [
        {
            "introduced": "7.2rc1"
        },
        {
            "fixed": "7.2.2"
        }
    ]
}

Affected versions

v0.*
v0.1
v0.2
v0.3
v0.3.1
v0.4
v0.5
v0.6
v0.7
v0.8
v0.8.1
v1.*
v1.0b1
v1.0b2
v1.0rc1
v1.10rc1
v1.1rc1
v1.2rc1
v1.3rc1
v1.4rc1
v1.5rc1
v1.6rc1
v1.8rc1
v2.*
v2.0b1
v2.11.rc1
v2.16rc1
v2.1rc1
v2.2rc1
v2.8rc1
v4.*
v4.1rc1
v7.*
v7.1
v7.1.1
v7.1.2
v7.1rc1
v7.2
v7.2.1
v7.2rc1
v7.3rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25517.json"