CVE-2026-28223
Received Received - Intake
Stored XSS in Wagtail simple_translation Module Allows Admin Hijack

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: GitHub, Inc.

Description
Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28223
EUVD
EUVD-2026-9859
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
torchbox wagtail to 6.3.8 (exc)
torchbox wagtail From 6.4 (inc) to 7.0.6 (exc)
torchbox wagtail From 7.1 (inc) to 7.2.3 (exc)
torchbox wagtail 7.3
torchbox wagtail 7.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28223 is a stored cross-site scripting (XSS) vulnerability in the Wagtail content management system, specifically within the wagtail.contrib.simple_translation module. It occurs because confirmation messages do not properly escape HTML, allowing a user with access to the Wagtail admin area to create a page with a specially crafted title containing malicious JavaScript code.'}, {'type': 'paragraph', 'content': 'When another user with admin access performs the "Translate" action on this page, the malicious JavaScript executes in their browser context. This can lead to unauthorized actions being performed with that user\'s credentials.'}, {'type': 'paragraph', 'content': 'The vulnerability is not exploitable by ordinary site visitors without admin access and has been fixed in Wagtail versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.'}] [4]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you if you have users with admin access to the Wagtail CMS. An attacker with admin privileges can inject malicious JavaScript into page titles.'}, {'type': 'paragraph', 'content': 'When another admin user performs the "Translate" action on the affected page, the malicious script runs in their browser, potentially allowing the attacker to perform actions on behalf of that user using their credentials.'}, {'type': 'paragraph', 'content': 'This can lead to unauthorized changes, data manipulation, or other malicious activities within the CMS environment.'}] [4]

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves a stored cross-site scripting (XSS) issue in the wagtail.contrib.simple_translation module of Wagtail CMS, triggered by specially crafted page titles in the admin interface.

Detection would require checking for pages created in the Wagtail admin area with suspicious or specially crafted titles that could contain malicious JavaScript.

Since the vulnerability requires admin access and user interaction to trigger, network-based detection commands are not directly applicable from the provided information.

No specific detection commands or automated scanning methods are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade Wagtail CMS to a patched version where this vulnerability is fixed.

  • Upgrade to Wagtail version 6.3.8 or later.
  • Alternatively, upgrade to versions 7.0.6, 7.2.3, or 7.3.1 or later, which also contain the fix.

No workarounds are available for this vulnerability.

Ensure that only trusted users have access to the Wagtail admin area to reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart