CVE-2026-28223
Stored XSS in Wagtail simple_translation Module Allows Admin Hijack
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| torchbox | wagtail | to 6.3.8 (exc) |
| torchbox | wagtail | From 6.4 (inc) to 7.0.6 (exc) |
| torchbox | wagtail | From 7.1 (inc) to 7.2.3 (exc) |
| torchbox | wagtail | 7.3 |
| torchbox | wagtail | 7.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28223 is a stored cross-site scripting (XSS) vulnerability in the Wagtail content management system, specifically within the wagtail.contrib.simple_translation module. It occurs because confirmation messages do not properly escape HTML, allowing a user with access to the Wagtail admin area to create a page with a specially crafted title containing malicious JavaScript code.'}, {'type': 'paragraph', 'content': 'When another user with admin access performs the "Translate" action on this page, the malicious JavaScript executes in their browser context. This can lead to unauthorized actions being performed with that user\'s credentials.'}, {'type': 'paragraph', 'content': 'The vulnerability is not exploitable by ordinary site visitors without admin access and has been fixed in Wagtail versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.'}] [4]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you if you have users with admin access to the Wagtail CMS. An attacker with admin privileges can inject malicious JavaScript into page titles.'}, {'type': 'paragraph', 'content': 'When another admin user performs the "Translate" action on the affected page, the malicious script runs in their browser, potentially allowing the attacker to perform actions on behalf of that user using their credentials.'}, {'type': 'paragraph', 'content': 'This can lead to unauthorized changes, data manipulation, or other malicious activities within the CMS environment.'}] [4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a stored cross-site scripting (XSS) issue in the wagtail.contrib.simple_translation module of Wagtail CMS, triggered by specially crafted page titles in the admin interface.
Detection would require checking for pages created in the Wagtail admin area with suspicious or specially crafted titles that could contain malicious JavaScript.
Since the vulnerability requires admin access and user interaction to trigger, network-based detection commands are not directly applicable from the provided information.
No specific detection commands or automated scanning methods are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Wagtail CMS to a patched version where this vulnerability is fixed.
- Upgrade to Wagtail version 6.3.8 or later.
- Alternatively, upgrade to versions 7.0.6, 7.2.3, or 7.3.1 or later, which also contain the fix.
No workarounds are available for this vulnerability.
Ensure that only trusted users have access to the Wagtail admin area to reduce risk.