CVE-2026-54260
Received Received - Intake

Denial of Service in Wagtail CMS via Rendition Processing

Vulnerability report for CVE-2026-54260, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, an authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
wagtail wagtail to 7.0.8 (exc)
wagtail wagtail to 7.3.3 (exc)
wagtail wagtail to 7.4.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Wagtail, an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3, and 7.4.2, an authenticated admin user can trigger expensive rendition processing by using purposefully crafted filter specifications. This can lead to potential service degradation.

It is important to note that this vulnerability cannot be exploited by ordinary site visitors without access to the Wagtail admin interface.

Impact Analysis

The vulnerability can cause service degradation by allowing an authenticated admin user to trigger resource-intensive rendition processing. This may slow down or disrupt the normal operation of the Wagtail content management system.

Mitigation Strategies

To mitigate this vulnerability, upgrade Wagtail to one of the fixed versions: 7.0.8, 7.3.3, or 7.4.2.

Since the vulnerability requires authenticated admin access, restrict admin user access and monitor for unusual rendition processing activity to reduce risk until the upgrade is applied.

Compliance Impact

This vulnerability allows an authenticated admin user to trigger expensive rendition processing that may lead to service degradation. However, it does not involve unauthorized access to sensitive data or compromise confidentiality or integrity.

Since the vulnerability does not expose personal data or affect data integrity, it is unlikely to directly impact compliance with standards such as GDPR or HIPAA, which focus on protecting personal and health information.

Nevertheless, service degradation could affect availability, which is a component of these regulations, but only if it results in significant downtime or denial of service impacting users' access to protected data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54260. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart