CVE-2026-44200

EUVD-2026-29076
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Affected Products (NVD)
VendorProductVersion
torchboxwagtail
𝑥
< 7.0.7
torchboxwagtail
7.1 ≤
𝑥
< 7.3.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/wagtail/wagtail/security/advisories/GHSA-67rv-mg8q-5pf3