GHSA-4qvv-g3vr-m348

Source

https://github.com/advisories/GHSA-4qvv-g3vr-m348

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4qvv-g3vr-m348/GHSA-4qvv-g3vr-m348.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4qvv-g3vr-m348

Aliases

CVE-2026-25517

Published

2026-02-03T18:35:52Z

Modified

2026-02-04T22:04:29.931322Z

Severity

5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Wagtail has improper permission handling on admin preview endpoints

Details

Impact

Due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 6.3.6, 7.0.4, 7.1.3 and 7.2.2. The new 7.3 feature release also incorporates this fix.

Workarounds

No workaround is available.

Acknowledgements

Many thanks to @thxtech for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Visit Wagtail's support channels
Send an email to security@wagtail.org (view our security policy for more information).

Database specific

{
    "cwe_ids": [
        "CWE-862"
    ],
    "github_reviewed_at": "2026-02-03T18:35:52Z",
    "nvd_published_at": "2026-02-04T21:16:02Z",
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.3.6

Affected versions

0.*

0.1

0.2

0.3

0.3.1

0.4

0.4.1

0.5

0.6

0.7

0.8

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.8.10

1.*

1.0b1

1.0b2

1.0rc1

1.0rc2

1.0

1.1rc1

1.1

1.2rc1

1.2

1.3rc1

1.3

1.3.1

1.4rc1

1.4

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.5rc1

1.5

1.5.1

1.5.2

1.5.3

1.6rc1

1.6

1.6.1

1.6.2

1.6.3

1.7rc1

1.7

1.8rc1

1.8

1.8.1

1.8.2

1.9rc1

1.9

1.9.1

1.10rc1

1.10

1.10.1

1.11rc1

1.11

1.11.1

1.12rc1

1.12

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.12.6

1.13rc1

1.13

1.13.1

1.13.2

1.13.3

1.13.4

2.*

2.0b1

2.0rc1

2.0

2.0.1

2.0.2

2.1rc1

2.1rc2

2.1

2.1.1

2.1.2

2.1.3

2.2rc1

2.2rc2

2.2

2.2.1

2.2.2

2.3rc1

2.3rc2

2.3

2.4rc1

2.4

2.5rc1

2.5

2.5.1

2.5.2

2.6rc1

2.6

2.6.1

2.6.2

2.6.3

2.7rc1

2.7rc2

2.7

2.7.1

2.7.2

2.7.3

2.7.4

2.8rc1

2.8

2.8.1

2.8.2

2.9rc1

2.9

2.9.1

2.9.2

2.9.3

2.10rc1

2.10rc2

2.10

2.10.1

2.10.2

2.11rc1

2.11

2.11.1

2.11.2

2.11.3

2.11.4

2.11.5

2.11.6

2.11.7

2.11.8

2.11.9

2.12rc1

2.12

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.12.6

2.13rc1

2.13rc2

2.13rc3

2.13

2.13.1

2.13.2

2.13.3

2.13.4

2.13.5

2.14rc1

2.14

2.14.1

2.14.2

2.15rc1

2.15rc2

2.15

2.15.1

2.15.2

2.15.3

2.15.4

2.15.5

2.15.6

2.16rc1

2.16rc2

2.16

2.16.1

2.16.2

2.16.3

3.*

3.0rc1

3.0rc2

3.0rc3

3.0

3.0.1

3.0.2

3.0.3

4.*

4.0rc1

4.0rc2

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1rc1

4.1

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.2rc1

4.2

4.2.1

4.2.2

4.2.3

4.2.4

5.*

5.0rc1

5.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.1rc1

5.1

5.1.1

5.1.2

5.1.3

5.2rc1

5.2

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

6.*

6.0rc1

6.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.1rc1

6.1rc2

6.1

6.1.1

6.1.2

6.1.3

6.2rc1

6.2

6.2.1

6.2.2

6.2.3

6.2.4

6.3rc1

6.3rc2

6.3

6.3.1

6.3.2

6.3.3

6.3.4

6.3.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4qvv-g3vr-m348/GHSA-4qvv-g3vr-m348.json"

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4rc1

Fixed

7.0.4

Affected versions

6.*

6.4rc1

6.4

6.4.1

6.4.2

7.*

7.0rc1

7.0

7.0.1

7.0.2

7.0.3

Database specific

last_known_affected_version_range

"<= 7.0.3"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4qvv-g3vr-m348/GHSA-4qvv-g3vr-m348.json"

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.1rc1

Fixed

7.1.3

Affected versions

7.*

7.1rc1

7.1

7.1.1

7.1.2

Database specific

last_known_affected_version_range

"<= 7.1.2"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4qvv-g3vr-m348/GHSA-4qvv-g3vr-m348.json"

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.2rc1

Fixed

7.2.2

Affected versions

7.*

7.2rc1

7.2

7.2.1

Database specific

last_known_affected_version_range

"<= 7.2.1"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4qvv-g3vr-m348/GHSA-4qvv-g3vr-m348.json"

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.3rc1

Fixed

7.3

Affected versions

7.*

7.3rc1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4qvv-g3vr-m348/GHSA-4qvv-g3vr-m348.json"