CVE-2026-28222
Stored XSS in Wagtail TableBlock Allows Privilege Escalation
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| torchbox | wagtail | to 6.3.8 (exc) |
| torchbox | wagtail | From 6.4 (inc) to 7.0.6 (exc) |
| torchbox | wagtail | From 7.1 (inc) to 7.2.3 (exc) |
| torchbox | wagtail | 7.3 |
| torchbox | wagtail | 7.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28222 is a stored cross-site scripting (XSS) vulnerability in the Wagtail content management system, specifically affecting the TableBlock component within a StreamField. The issue arises because HTML attributes, such as the class attribute in table cells, were not properly escaped when rendering. This improper escaping allows a user with permission to create or edit pages containing TableBlock blocks to inject specially crafted class attributes that execute arbitrary JavaScript code when the page is viewed.'}, {'type': 'paragraph', 'content': 'The vulnerability is exploitable only by users with editing privileges in the Wagtail admin interface and only affects sites using TableBlock. When a user with higher privileges views a page containing the malicious TableBlock, the injected script can run with their credentials, potentially leading to privilege escalation.'}, {'type': 'paragraph', 'content': "The root cause was the unsafe use of Django's mark_safe function to output HTML attributes without proper escaping. The fix replaced mark_safe with Django's format_html function to ensure attribute values are safely escaped, preventing script injection."}] [1, 2, 3, 4, 5, 6, 7, 8, 9]
How can this vulnerability impact me? :
This vulnerability can impact you if you use Wagtail CMS with TableBlock and allow users to create or edit pages containing these blocks. An attacker with such permissions can inject malicious JavaScript code into the class attributes of table cells.
When a user with higher privileges views the affected page, the malicious script executes with their credentials. This can lead to unauthorized actions being performed on behalf of that user, such as modifying content, changing settings, or accessing sensitive information.
The vulnerability is not exploitable by ordinary site visitors without admin access, but it poses a significant risk of privilege escalation within the administrative interface.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stored cross-site scripting (XSS) issue in the Wagtail CMS TableBlock component that occurs when malicious class attributes are injected into table blocks within StreamFields. Detection involves identifying if your Wagtail installation is running a vulnerable version prior to 6.3.8, 7.0.6, 7.2.3, or 7.3.1 and if TableBlock is used.
Since the vulnerability requires a user with permissions to create or edit pages containing TableBlock blocks, detection can include auditing page content for suspicious or specially crafted class attributes in tables.
There are no specific network commands provided in the resources to detect exploitation attempts. However, you can check the Wagtail version installed by running commands like:
- pip show wagtail
- python -m wagtail --version
Additionally, reviewing the database or page content for TableBlock entries containing suspicious class attributes with embedded JavaScript event handlers (e.g., onmouseover, onclick) may help detect exploitation attempts.
For example, querying the database for TableBlock content fields containing suspicious strings or HTML attributes could be done with SQL queries or CMS admin interface searches.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade Wagtail to one of the patched versions: 6.3.8, 7.0.6, 7.2.3, or 7.3.1, where the vulnerability has been fixed by properly escaping HTML attributes in TableBlock.
If upgrading immediately is not possible, a workaround is to override the TableBlock template to exclude outputting the class attributes, thereby preventing injection of malicious scripts via these attributes.
This workaround involves customizing the template rendering TableBlock to omit or sanitize the class attribute output.
Additionally, restrict permissions so that only trusted users can create or edit pages containing TableBlock blocks, as exploitation requires such privileges.
Review and sanitize existing TableBlock content to remove any suspicious or malicious class attributes.