GHSA-p4v8-rw59-93cq

Source

https://github.com/advisories/GHSA-p4v8-rw59-93cq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p4v8-rw59-93cq/GHSA-p4v8-rw59-93cq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p4v8-rw59-93cq

Aliases

CVE-2026-28223

Published

2026-03-03T17:59:30Z

Modified

2026-03-05T23:01:34.601164Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Wagtail Vulnerable to Cross-site Scripting in simple_translation admin interface

Details

Impact

A stored Cross-site Scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

Patches

Patched versions have been released as Wagtail 6.3.8, 7.0.6, 7.2.3 and 7.3.1.

Workarounds

None

Acknowledgements

Many thanks to Guan Chenxian (@GCXWLP) for reporting this issue.

For more information

If there are any questions or comments about this advisory:

Visit Wagtail's support channels
Email Wagtail at security@wagtail.org (view the security policy for more information).

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2026-03-05T20:16:15Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2026-03-03T17:59:30Z"
}

References

Affected packages

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.3.8

Affected versions

0.*

0.1

0.2

0.3

0.3.1

0.4

0.4.1

0.5

0.6

0.7

0.8

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.8.10

1.*

1.0b1

1.0b2

1.0rc1

1.0rc2

1.0

1.1rc1

1.1

1.2rc1

1.2

1.3rc1

1.3

1.3.1

1.4rc1

1.4

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.5rc1

1.5

1.5.1

1.5.2

1.5.3

1.6rc1

1.6

1.6.1

1.6.2

1.6.3

1.7rc1

1.7

1.8rc1

1.8

1.8.1

1.8.2

1.9rc1

1.9

1.9.1

1.10rc1

1.10

1.10.1

1.11rc1

1.11

1.11.1

1.12rc1

1.12

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.12.6

1.13rc1

1.13

1.13.1

1.13.2

1.13.3

1.13.4

2.*

2.0b1

2.0rc1

2.0

2.0.1

2.0.2

2.1rc1

2.1rc2

2.1

2.1.1

2.1.2

2.1.3

2.2rc1

2.2rc2

2.2

2.2.1

2.2.2

2.3rc1

2.3rc2

2.3

2.4rc1

2.4

2.5rc1

2.5

2.5.1

2.5.2

2.6rc1

2.6

2.6.1

2.6.2

2.6.3

2.7rc1

2.7rc2

2.7

2.7.1

2.7.2

2.7.3

2.7.4

2.8rc1

2.8

2.8.1

2.8.2

2.9rc1

2.9

2.9.1

2.9.2

2.9.3

2.10rc1

2.10rc2

2.10

2.10.1

2.10.2

2.11rc1

2.11

2.11.1

2.11.2

2.11.3

2.11.4

2.11.5

2.11.6

2.11.7

2.11.8

2.11.9

2.12rc1

2.12

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.12.6

2.13rc1

2.13rc2

2.13rc3

2.13

2.13.1

2.13.2

2.13.3

2.13.4

2.13.5

2.14rc1

2.14

2.14.1

2.14.2

2.15rc1

2.15rc2

2.15

2.15.1

2.15.2

2.15.3

2.15.4

2.15.5

2.15.6

2.16rc1

2.16rc2

2.16

2.16.1

2.16.2

2.16.3

3.*

3.0rc1

3.0rc2

3.0rc3

3.0

3.0.1

3.0.2

3.0.3

4.*

4.0rc1

4.0rc2

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1rc1

4.1

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.2rc1

4.2

4.2.1

4.2.2

4.2.3

4.2.4

5.*

5.0rc1

5.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.1rc1

5.1

5.1.1

5.1.2

5.1.3

5.2rc1

5.2

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

6.*

6.0rc1

6.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.1rc1

6.1rc2

6.1

6.1.1

6.1.2

6.1.3

6.2rc1

6.2

6.2.1

6.2.2

6.2.3

6.2.4

6.3rc1

6.3rc2

6.3

6.3.1

6.3.2

6.3.3

6.3.4

6.3.5

6.3.6

6.3.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p4v8-rw59-93cq/GHSA-p4v8-rw59-93cq.json"

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4rc1

Fixed

7.0.6

Affected versions

6.*

6.4rc1

6.4

6.4.1

6.4.2

7.*

7.0rc1

7.0

7.0.1

7.0.2

7.0.3

7.0.4

7.0.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p4v8-rw59-93cq/GHSA-p4v8-rw59-93cq.json"

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.1rc1

Fixed

7.2.3

Affected versions

7.*

7.1rc1

7.1

7.1.1

7.1.2

7.1.3

7.2rc1

7.2

7.2.1

7.2.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p4v8-rw59-93cq/GHSA-p4v8-rw59-93cq.json"

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.3rc1

Fixed

7.3.1

Affected versions

7.*

7.3rc1

7.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p4v8-rw59-93cq/GHSA-p4v8-rw59-93cq.json"