Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1501

NIXPKGS-2026-1501

GitHub issue published 1 month, 1 week ago

Permalink CVE-2026-44199

6.5 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 1 month, 1 week ago by @LeSuisse Activity log

Created suggestion 1 month, 1 week ago
@LeSuisse ignored
9 packages
- python312Packages.wagtail-localize
- python313Packages.wagtail-localize
- python314Packages.wagtail-localize
- python312Packages.wagtail-factories
- python313Packages.wagtail-factories
- python314Packages.wagtail-factories
- python312Packages.wagtail-modeladmin
- python313Packages.wagtail-modeladmin
- python314Packages.wagtail-modeladmin
1 month, 1 week ago
@LeSuisse accepted 1 month, 1 week ago
@LeSuisse published on GitHub 1 month, 1 week ago

Wagtail: Improper permission handling when deleting form submissions

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

References

https://github.com/wagtail/wagtail/security/advisories/GHSA-pwm3-7fv4-g6xx x_refsource_CONFIRM

Affected products

wagtail

==< 7.0.7
==>= 7.1, < 7.3.2

Matching in nixpkgs

pkgs.python312Packages.wagtail

None

pkgs.python313Packages.wagtail

Django content management system focused on flexibility and user experience

nixos-unstable 7.3
- nixpkgs-unstable 7.3
- nixos-unstable-small 7.3

pkgs.python314Packages.wagtail

Django content management system focused on flexibility and user experience

nixos-unstable 7.3
- nixpkgs-unstable 7.3
- nixos-unstable-small 7.3

Ignored packages (9)

pkgs.python312Packages.wagtail-localize

None

pkgs.python313Packages.wagtail-localize

Translation plugin for Wagtail CMS

nixos-unstable 1.13
- nixpkgs-unstable 1.13
- nixos-unstable-small 1.13

pkgs.python314Packages.wagtail-localize

Translation plugin for Wagtail CMS

nixos-unstable 1.13
- nixpkgs-unstable 1.13
- nixos-unstable-small 1.13

pkgs.python312Packages.wagtail-factories

None

pkgs.python313Packages.wagtail-factories

Factory boy classes for wagtail

nixos-unstable 4.4.0
- nixpkgs-unstable 4.4.0
- nixos-unstable-small 4.4.0

pkgs.python314Packages.wagtail-factories

Factory boy classes for wagtail

nixos-unstable 4.4.0
- nixpkgs-unstable 4.4.0
- nixos-unstable-small 4.4.0

pkgs.python312Packages.wagtail-modeladmin

None

pkgs.python313Packages.wagtail-modeladmin

Add any model in your project to the Wagtail admin. Formerly wagtail.contrib.modeladmin

nixos-unstable 2.3.0
- nixpkgs-unstable 2.3.0
- nixos-unstable-small 2.3.0

pkgs.python314Packages.wagtail-modeladmin

Add any model in your project to the Wagtail admin. Formerly wagtail.contrib.modeladmin

nixos-unstable 2.3.0
- nixpkgs-unstable 2.3.0
- nixos-unstable-small 2.3.0

Package maintainers

@sephii Sylvain Fankhauser <sephi@fhtagn.top>