PYSEC-2024-86

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2024-86.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2024-86
Aliases
Published
2024-07-11T16:15:00Z
Modified
2026-06-08T11:15:06.450810372Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Wagtail is an open source content management system built on Django. A bug in Wagtail's parse_query_string would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, parse_query_string would take an unexpectedly large amount of time to process, resulting in a denial of service. In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses parse_query_string, it may be exploitable by other users (e.g. unauthenticated users). Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.

References

Affected packages

PyPI / wagtail

Package

Affected ranges

Type
GIT
Repo
https://github.com/wagtail/wagtail
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Fixed
Type
ECOSYSTEM
Events
Introduced
6.0
Fixed
6.0.6
Introduced
6.1
Fixed
6.1.3
Introduced
2.0
Fixed
5.2.6

Affected versions

v0.*
v0.1
v0.2
v0.4
v0.5
v0.6
v0.7
v0.8
v0.8.1
v1.*
v1.0b2
v1.0rc1
v1.1rc1
v1.2rc1
v1.3rc1
v1.4rc1
v1.5rc1
v1.6rc1
v1.8rc1
v1.10rc1
2.*
2.0
2.0.1
2.0.2
2.1rc1
2.1rc2
2.1
2.1.1
2.1.2
2.1.3
2.2rc1
2.2rc2
2.2
2.2.1
2.2.2
2.3rc1
2.3rc2
2.3
2.4rc1
2.4
2.5rc1
2.5
2.5.1
2.5.2
2.6rc1
2.6
2.6.1
2.6.2
2.6.3
2.7rc1
2.7rc2
2.7
2.7.1
2.7.2
2.7.3
2.7.4
2.8rc1
2.8
2.8.1
2.8.2
2.9rc1
2.9
2.9.1
2.9.2
2.9.3
2.10rc1
2.10rc2
2.10
2.10.1
2.10.2
2.11rc1
2.11
2.11.1
2.11.2
2.11.3
2.11.4
2.11.5
2.11.6
2.11.7
2.11.8
2.11.9
2.12rc1
2.12
2.12.1
2.12.2
2.12.3
2.12.4
2.12.5
2.12.6
2.13rc1
2.13rc2
2.13rc3
2.13
2.13.1
2.13.2
2.13.3
2.13.4
2.13.5
2.14rc1
2.14
2.14.1
2.14.2
2.15rc1
2.15rc2
2.15
2.15.1
2.15.2
2.15.3
2.15.4
2.15.5
2.15.6
2.16rc1
2.16rc2
2.16
2.16.1
2.16.2
2.16.3
v2.*
v2.2rc1
v2.8rc1
v2.11.rc1
v2.16rc1
3.*
3.0rc1
3.0rc2
3.0rc3
3.0
3.0.1
3.0.2
3.0.3
4.*
4.0rc1
4.0rc2
4.0
4.0.1
4.0.2
4.0.3
4.0.4
4.1rc1
4.1
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.1.9
4.2rc1
4.2
4.2.1
4.2.2
4.2.3
4.2.4
v4.*
v4.1rc1
5.*
5.0rc1
5.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.1rc1
5.1
5.1.1
5.1.2
5.1.3
5.2rc1
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
v5.*
v5.2rc1
v5.2
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v6.*
v6.0rc1
v6.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.1rc1
v6.1rc2
v6.1
v6.1.1
v6.1.2
6.*
6.0
6.0.1
6.0.2
6.0.3
6.0.4
6.0.5
6.1
6.1.1
6.1.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2024-86.yaml"