CVE-2026-28222

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28222

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28222.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28222

Aliases

GHSA-p5cm-246w-84jm

Published

2026-03-05T18:58:20.719Z

Modified

2026-04-02T13:22:22.153493Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Wagtail: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes

Details

Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28222.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/wagtail/wagtail

Affected ranges

Type

GIT

Repo

https://github.com/wagtail/wagtail

Events

Introduced

Fixed

0a473e521df5eb31a1a7f1840b64527f7eeffaf3

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.3.8"
        }
    ]
}

Type

GIT

Repo

https://github.com/wagtail/wagtail

Events

Introduced

b7de2007d8d5722bdd6d1384de510eb3a727cc8b

Fixed

c445aa76d14da81dac591930942335dbbcd38ca8

Database specific

{
    "versions": [
        {
            "introduced": "6.4rc1"
        },
        {
            "fixed": "7.0.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/wagtail/wagtail

Events

Introduced

afd8aecc4bd6abec78809825861164255361cdd5

Fixed

b55a95d83acff5895b2c48894a5b1e7ad2dd2273

Database specific

{
    "versions": [
        {
            "introduced": "7.1rc1"
        },
        {
            "fixed": "7.2.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/wagtail/wagtail

Events

Introduced

2061a40b9b1c7e181efa9240f566ff7da2da8e33

Fixed

136e2f65957314f26bd2632adec08fe5ef9a1e25

Database specific

{
    "versions": [
        {
            "introduced": "7.3rc1"
        },
        {
            "fixed": "7.3.1"
        }
    ]
}

Affected versions

v0.*

v0.1

v0.2

v0.3

v0.3.1

v0.4

v0.4.1

v0.5

v0.6

v0.7

v0.8

v0.8.1

v0.8.10

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.8.6

v0.8.7

v0.8.8

v0.8.9

v1.*

v1.0

v1.0b1

v1.0b2

v1.0rc1

v1.0rc2

v1.1

v1.10

v1.10.1

v1.10rc1

v1.11

v1.11.1

v1.11rc1

v1.12

v1.12.1

v1.12.2

v1.12.3

v1.12.4

v1.12.5

v1.12.6

v1.12rc1

v1.13

v1.13.1

v1.13.2

v1.13.3

v1.13.4

v1.13rc1

v1.1rc1

v1.2

v1.2rc1

v1.3

v1.3.1

v1.3rc1

v1.4

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4rc1

v1.5

v1.5.1

v1.5.2

v1.5.3

v1.5rc1

v1.6

v1.6.1

v1.6.2

v1.6.3

v1.6rc1

v1.7

v1.7rc1

v1.8

v1.8.1

v1.8.2

v1.8rc1

v1.9

v1.9.1

v1.9rc1

v2.*

v2.0

v2.0.1

v2.0.2

v2.0b1

v2.0rc1

v2.1

v2.1.1

v2.1.2

v2.1.3

v2.10

v2.10.1

v2.10.2

v2.10rc1

v2.10rc2

v2.11

v2.11.1

v2.11.2

v2.11.3

v2.11.4

v2.11.5

v2.11.6

v2.11.7

v2.11.8

v2.11.9

v2.11.rc1

v2.12

v2.12.1

v2.12.2

v2.12.3

v2.12.4

v2.12.5

v2.12.6

v2.12.7

v2.12rc1

v2.13

v2.13.1

v2.13.2

v2.13.3

v2.13.4

v2.13.5

v2.13rc1

v2.13rc2

v2.13rc3

v2.14

v2.14.1

v2.14.2

v2.14rc1

v2.15

v2.15.1

v2.15.2

v2.15.3

v2.15.4

v2.15.5

v2.15.6

v2.15rc1

v2.15rc2

v2.16

v2.16.1

v2.16.2

v2.16.3

v2.16rc1

v2.16rc2

v2.1rc1

v2.1rc2

v2.2

v2.2.1

v2.2.2

v2.2rc1

v2.2rc2

v2.3

v2.3rc1

v2.3rc2

v2.4

v2.4rc1

v2.5

v2.5.1

v2.5.2

v2.5rc1

v2.6

v2.6.1

v2.6.2

v2.6.3

v2.6rc1

v2.7

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.7rc1

v2.7rc2

v2.8

v2.8.1

v2.8.2

v2.8rc1

v2.9

v2.9.1

v2.9.2

v2.9.3

v2.9rc1

v3.*

v3.0

v3.0.1

v3.0.2

v3.0.3

v3.0rc1

v3.0rc2

v3.0rc3

v4.*

v4.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0rc1

v4.0rc2

v4.1

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.1.7

v4.1.8

v4.1.9

v4.1rc1

v4.2

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2rc1

v5.*

v5.0

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.0rc1

v5.1

v5.1.1

v5.1.2

v5.1.3

v5.1rc1

v5.2

v5.2.1

v5.2.2

v5.2.3

v5.2.4

v5.2.5

v5.2.6

v5.2.7

v5.2.8

v5.2rc1

v6.*

v6.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0rc1

v6.1

v6.1.1

v6.1.2

v6.1.3

v6.1rc1

v6.1rc2

v6.2

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.2rc1

v6.3

v6.3.1

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.3.7

v6.3rc2

v6.4

v6.4.1

v6.4.2

v6.4rc1

v7.*

v7.0

v7.0.1

v7.0.2

v7.0.3

v7.0.4

v7.0.5

v7.0.6

v7.0rc1

v7.1

v7.1.1

v7.1.2

v7.1.3

v7.1rc1

v7.2

v7.2.1

v7.2.2

v7.2.3

v7.2rc1

v7.3

v7.3.1

v7.3rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28222.json"