Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: python314Packages.wagtail

Found 7 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-44197
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse ignored
    9 packages
    • python312Packages.wagtail-localize
    • python313Packages.wagtail-localize
    • python314Packages.wagtail-localize
    • python312Packages.wagtail-factories
    • python313Packages.wagtail-factories
    • python314Packages.wagtail-factories
    • python312Packages.wagtail-modeladmin
    • python313Packages.wagtail-modeladmin
    • python314Packages.wagtail-modeladmin
    1 month, 1 week ago
  • @LeSuisse accepted 1 month, 1 week ago
  • @LeSuisse published on GitHub 1 month, 1 week ago
Wagtail: Improper permission handling when comparing revisions

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Affected products

wagtail
  • ==< 7.0.7
  • ==>= 7.1, < 7.3.2

Matching in nixpkgs

pkgs.python313Packages.wagtail

Django content management system focused on flexibility and user experience

  • nixos-unstable 7.3
    • nixpkgs-unstable 7.3
    • nixos-unstable-small 7.3

pkgs.python314Packages.wagtail

Django content management system focused on flexibility and user experience

  • nixos-unstable 7.3
    • nixpkgs-unstable 7.3
    • nixos-unstable-small 7.3
Ignored packages (9)

Package maintainers

Published
Permalink CVE-2026-44200
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse ignored
    9 packages
    • python312Packages.wagtail-localize
    • python313Packages.wagtail-localize
    • python314Packages.wagtail-localize
    • python312Packages.wagtail-factories
    • python313Packages.wagtail-factories
    • python314Packages.wagtail-factories
    • python312Packages.wagtail-modeladmin
    • python313Packages.wagtail-modeladmin
    • python314Packages.wagtail-modeladmin
    1 month, 1 week ago
  • @LeSuisse accepted 1 month, 1 week ago
  • @LeSuisse published on GitHub 1 month, 1 week ago
Wagtail: Improper permission handling when copying pages

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Affected products

wagtail
  • ==< 7.0.7
  • ==>= 7.1, < 7.3.2

Matching in nixpkgs

pkgs.python313Packages.wagtail

Django content management system focused on flexibility and user experience

  • nixos-unstable 7.3
    • nixpkgs-unstable 7.3
    • nixos-unstable-small 7.3

pkgs.python314Packages.wagtail

Django content management system focused on flexibility and user experience

  • nixos-unstable 7.3
    • nixpkgs-unstable 7.3
    • nixos-unstable-small 7.3
Ignored packages (9)

Package maintainers

Published
Permalink CVE-2026-44198
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse ignored
    9 packages
    • python312Packages.wagtail-localize
    • python313Packages.wagtail-localize
    • python314Packages.wagtail-localize
    • python312Packages.wagtail-factories
    • python313Packages.wagtail-factories
    • python314Packages.wagtail-factories
    • python312Packages.wagtail-modeladmin
    • python313Packages.wagtail-modeladmin
    • python314Packages.wagtail-modeladmin
    1 month, 1 week ago
  • @LeSuisse accepted 1 month, 1 week ago
  • @LeSuisse published on GitHub 1 month, 1 week ago
Wagtail: Improper permission handling when viewing page history

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Affected products

wagtail
  • ==< 7.0.7
  • ==>= 7.1, < 7.3.2

Matching in nixpkgs

pkgs.python313Packages.wagtail

Django content management system focused on flexibility and user experience

  • nixos-unstable 7.3
    • nixpkgs-unstable 7.3
    • nixos-unstable-small 7.3

pkgs.python314Packages.wagtail

Django content management system focused on flexibility and user experience

  • nixos-unstable 7.3
    • nixpkgs-unstable 7.3
    • nixos-unstable-small 7.3
Ignored packages (9)

Package maintainers

Published
Permalink CVE-2026-44201
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse ignored
    9 packages
    • python312Packages.wagtail-localize
    • python313Packages.wagtail-localize
    • python314Packages.wagtail-localize
    • python312Packages.wagtail-factories
    • python313Packages.wagtail-factories
    • python314Packages.wagtail-factories
    • python312Packages.wagtail-modeladmin
    • python313Packages.wagtail-modeladmin
    • python314Packages.wagtail-modeladmin
    1 month, 1 week ago
  • @LeSuisse accepted 1 month, 1 week ago
  • @LeSuisse published on GitHub 1 month, 1 week ago
Wagtail: Improper restriction handling on Documents and Images API

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Affected products

wagtail
  • ==< 7.0.7
  • ==>= 7.1, < 7.3.2

Matching in nixpkgs

pkgs.python313Packages.wagtail

Django content management system focused on flexibility and user experience

  • nixos-unstable 7.3
    • nixpkgs-unstable 7.3
    • nixos-unstable-small 7.3

pkgs.python314Packages.wagtail

Django content management system focused on flexibility and user experience

  • nixos-unstable 7.3
    • nixpkgs-unstable 7.3
    • nixos-unstable-small 7.3
Ignored packages (9)

Package maintainers

Published
Permalink CVE-2026-44199
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 month, 1 week ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse ignored
    9 packages
    • python312Packages.wagtail-localize
    • python313Packages.wagtail-localize
    • python314Packages.wagtail-localize
    • python312Packages.wagtail-factories
    • python313Packages.wagtail-factories
    • python314Packages.wagtail-factories
    • python312Packages.wagtail-modeladmin
    • python313Packages.wagtail-modeladmin
    • python314Packages.wagtail-modeladmin
    1 month, 1 week ago
  • @LeSuisse accepted 1 month, 1 week ago
  • @LeSuisse published on GitHub 1 month, 1 week ago
Wagtail: Improper permission handling when deleting form submissions

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

Affected products

wagtail
  • ==< 7.0.7
  • ==>= 7.1, < 7.3.2

Matching in nixpkgs

pkgs.python313Packages.wagtail

Django content management system focused on flexibility and user experience

  • nixos-unstable 7.3
    • nixpkgs-unstable 7.3
    • nixos-unstable-small 7.3

pkgs.python314Packages.wagtail

Django content management system focused on flexibility and user experience

  • nixos-unstable 7.3
    • nixpkgs-unstable 7.3
    • nixos-unstable-small 7.3
Ignored packages (9)

Package maintainers

Published
Permalink CVE-2026-28222
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 2 weeks ago
  • @LeSuisse ignored
    10 packages
    • python312Packages.wagtail-localize
    • python313Packages.wagtail-localize
    • python314Packages.wagtail-localize
    • python312Packages.wagtail-factories
    • python313Packages.wagtail-factories
    • python314Packages.wagtail-factories
    • python312Packages.wagtail-modeladmin
    • python314Packages.wagtail
    • python313Packages.wagtail-modeladmin
    • python314Packages.wagtail-modeladmin
    3 months, 2 weeks ago
  • @LeSuisse restored package python314Packages.wagtail 3 months, 2 weeks ago
  • @LeSuisse accepted 3 months, 2 weeks ago
  • @LeSuisse published on GitHub 3 months, 2 weeks ago
Wagtail: Improper escaping of HTML (Cross-site Scripting) on TableBlock class attributes

Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.

Affected products

wagtail
  • ==>= 7.3rc1, < 7.3.1
  • ==>= 6.4rc1, < 7.0.6
  • ==>= 7.1rc1, < 7.2.3
  • ==< 6.3.8

Matching in nixpkgs

pkgs.python313Packages.wagtail

Django content management system focused on flexibility and user experience

  • nixos-unstable 7.3
    • nixpkgs-unstable 7.3
    • nixos-unstable-small 7.3

pkgs.python314Packages.wagtail

Django content management system focused on flexibility and user experience

  • nixos-unstable 7.3
    • nixpkgs-unstable 7.3
    • nixos-unstable-small 7.3
Ignored packages (9)

Package maintainers

Upstream advisory: https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm
Patch:
* 7.3.x: https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85
* 7.2.x: https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b
Published
Permalink CVE-2026-25517
updated 4 months, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 4 months, 2 weeks ago
  • @LeSuisse ignored
    9 packages
    • python312Packages.wagtail-localize
    • python313Packages.wagtail-localize
    • python314Packages.wagtail-localize
    • python312Packages.wagtail-factories
    • python313Packages.wagtail-factories
    • python314Packages.wagtail-factories
    • python312Packages.wagtail-modeladmin
    • python313Packages.wagtail-modeladmin
    • python314Packages.wagtail-modeladmin
    4 months, 2 weeks ago
  • @LeSuisse accepted 4 months, 2 weeks ago
  • @LeSuisse published on GitHub 4 months, 2 weeks ago
Wagtail has improper permission handling on admin preview endpoints

Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3.

Affected products

wagtail
  • ==>= 6.4rc1, < 7.0.4
  • ==>= 7.1rc1, < 7.1.3
  • === 7.3rc1
  • ==>= 7.2rc1, < 7.2.2
  • ==< 6.3.6

Matching in nixpkgs

Ignored packages (9)

Package maintainers

Upstream advisory: https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348