PYSEC-2026-149

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2026-149.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-149

Aliases

CVE-2026-44200
GHSA-67rv-mg8q-5pf3

Published

2026-05-11T16:17:35.713Z

Modified

2026-05-20T09:19:23.155861Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

References

https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3

Affected packages

PyPI / wagtail

Package

Name: wagtail; View open source insights on deps.dev
Purl: pkg:pypi/wagtail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.0.7

Introduced

7.1

Fixed

7.3.2

Affected versions

0.*

0.1

0.2

0.3

0.3.1

0.4

0.4.1

0.5

0.6

0.7

0.8

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.8.10

1.*

1.0b1

1.0b2

1.0rc1

1.0rc2

1.0

1.1rc1

1.1

1.2rc1

1.2

1.3rc1

1.3

1.3.1

1.4rc1

1.4

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.5rc1

1.5

1.5.1

1.5.2

1.5.3

1.6rc1

1.6

1.6.1

1.6.2

1.6.3

1.7rc1

1.7

1.8rc1

1.8

1.8.1

1.8.2

1.9rc1

1.9

1.9.1

1.10rc1

1.10

1.10.1

1.11rc1

1.11

1.11.1

1.12rc1

1.12

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.12.6

1.13rc1

1.13

1.13.1

1.13.2

1.13.3

1.13.4

2.*

2.0b1

2.0rc1

2.0

2.0.1

2.0.2

2.1rc1

2.1rc2

2.1

2.1.1

2.1.2

2.1.3

2.2rc1

2.2rc2

2.2

2.2.1

2.2.2

2.3rc1

2.3rc2

2.3

2.4rc1

2.4

2.5rc1

2.5

2.5.1

2.5.2

2.6rc1

2.6

2.6.1

2.6.2

2.6.3

2.7rc1

2.7rc2

2.7

2.7.1

2.7.2

2.7.3

2.7.4

2.8rc1

2.8

2.8.1

2.8.2

2.9rc1

2.9

2.9.1

2.9.2

2.9.3

2.10rc1

2.10rc2

2.10

2.10.1

2.10.2

2.11rc1

2.11

2.11.1

2.11.2

2.11.3

2.11.4

2.11.5

2.11.6

2.11.7

2.11.8

2.11.9

2.12rc1

2.12

2.12.1

2.12.2

2.12.3

2.12.4

2.12.5

2.12.6

2.13rc1

2.13rc2

2.13rc3

2.13

2.13.1

2.13.2

2.13.3

2.13.4

2.13.5

2.14rc1

2.14

2.14.1

2.14.2

2.15rc1

2.15rc2

2.15

2.15.1

2.15.2

2.15.3

2.15.4

2.15.5

2.15.6

2.16rc1

2.16rc2

2.16

2.16.1

2.16.2

2.16.3

3.*

3.0rc1

3.0rc2

3.0rc3

3.0

3.0.1

3.0.2

3.0.3

4.*

4.0rc1

4.0rc2

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1rc1

4.1

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.2rc1

4.2

4.2.1

4.2.2

4.2.3

4.2.4

5.*

5.0rc1

5.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.1rc1

5.1

5.1.1

5.1.2

5.1.3

5.2rc1

5.2

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.2.6

5.2.7

5.2.8

6.*

6.0rc1

6.0

6.0.1

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.1rc1

6.1rc2

6.1

6.1.1

6.1.2

6.1.3

6.2rc1

6.2

6.2.1

6.2.2

6.2.3

6.2.4

6.3rc1

6.3rc2

6.3

6.3.1

6.3.2

6.3.3

6.3.4

6.3.5

6.3.6

6.3.7

6.3.8

6.4rc1

6.4

6.4.1

6.4.2

7.*

7.0rc1

7.0

7.0.1

7.0.2

7.0.3

7.0.4

7.0.5

7.0.6

7.1

7.1.1

7.1.2

7.1.3

7.2rc1

7.2

7.2.1

7.2.2

7.2.3

7.3rc1

7.3

7.3.1

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/wagtail/PYSEC-2026-149.yaml"