CVE-2026-54263
Received Received - Intake

Reflected XSS in Wagtail Admin Dynamic Image URL

Vulnerability report for CVE-2026-54263, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, reflected cross-site scripting (XSS) vulnerability exists on the dynamic image URL generator view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could craft a URL that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is present for all sites, even if they do not enable the dynamic image serve view. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wagtail wagtail to 7.4.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a reflected cross-site scripting (XSS) issue found in the Wagtail content management system versions prior to 7.0.8, 7.3.3, and 7.4.2. It exists in the dynamic image URL generator view within the Wagtail admin interface. A user with limited editor permissions can craft a malicious URL that, when accessed by a user with higher privileges, can execute actions using that higher privileged user's credentials.

The vulnerability affects all sites using the vulnerable versions, even if they do not enable the dynamic image serve view. However, it cannot be exploited by ordinary site visitors without access to the Wagtail admin interface.

Impact Analysis

This vulnerability can allow an attacker with limited permissions to perform actions with the credentials of a higher privileged user if that user views a specially crafted URL. This can lead to unauthorized actions within the Wagtail admin interface, potentially compromising the integrity and security of the content management system.

Mitigation Strategies

To mitigate this vulnerability, upgrade Wagtail to one of the fixed versions: 7.0.8, 7.3.3, or 7.4.2.

Since the vulnerability affects the dynamic image URL generator view in the Wagtail admin interface, ensure that only trusted users have access to the Wagtail admin and limit editor permissions where possible until the upgrade is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54263. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart