Listen to this Post
CVE-2026-28222 is a stored Cross-site Scripting (XSS) vulnerability found in Wagtail, an open-source content management system built on Django. The flaw specifically resides in the rendering of `TableBlock` components within a StreamField. An authenticated user with access to the Wagtail admin interface, who has permissions to create or edit pages, can exploit this by inserting specially crafted `class` attributes into the table block’s HTML. When a page containing this malicious block is rendered and viewed by another user—particularly one with higher privileges—the arbitrary JavaScript code embedded in the `class` attribute executes in the context of the victim’s browser. This can lead to session hijacking or performing administrative actions using the victim’s credentials. The vulnerability is confined to instances where `TableBlock` is utilized and does not affect standard website visitors without Wagtail admin access. The issue has been addressed by the Wagtail team in patched versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, where input sanitization for these attributes has been implemented.
dailycve form:
Platform: Wagtail CMS
Version: <6.3.8,<7.0.6,<7.2.3,<7.3.1
Vulnerability : Stored XSS
Severity: Medium
date: 05 March 2026
Prediction: Patched versions released
What Undercode Say:
Analytics
The vulnerability chain requires an authenticated admin user to inject a malicious payload. The attack vector is through the `TableBlock` field, where unsanitized `class` attributes are rendered directly into the HTML. The likelihood of exploitation is reduced by the prerequisite of having backend editing access, but the impact is heightened by the potential for privilege escalation to a higher-level user.
Exploit:
Below are examples of how an attacker with admin access could inject a malicious payload into a TableBlock and a command to verify the presence of vulnerable packages in a Python environment.
Example of a malicious payload that could be inserted into the 'class' attribute of a TableBlock cell.
This payload creates an alert box to demonstrate XSS, but could be replaced with session-stealing code.
Payload: '" onfocus="alert(\'XSS\')" tabindex="0'
Command to check installed Wagtail version in a pip environment.
pip show wagtail | grep Version
Command to check installed Wagtail version in a pipenv environment.
pipenv run pip show wagtail | grep Version
Python one-liner to check if the installed version is vulnerable (returns True if vulnerable).
python3 -c "import wagtail; v=wagtail.<strong>version</strong>; print(v<'6.3.8' or ('7.0.0'<=v<'7.0.6') or ('7.2.0'<=v<'7.2.3') or ('7.3.0'<=v<'7.3.1'))"
Protection from this CVE
The primary protection is to upgrade to a patched version. If an immediate upgrade is not possible, a temporary workaround involves sanitizing the output of the `TableBlock` manually by overriding its template or by using a middleware that escapes `class` attributes in streamfield content, though this is less reliable. The following commands facilitate the upgrade.
Upgrade Wagtail to the latest patched version using pip. pip install --upgrade "wagtail>=7.3.1" If using a requirements.txt file, update the line for Wagtail and reinstall. Example line in requirements.txt: wagtail>=7.3.1 pip install -r requirements.txt --upgrade Verify the upgrade was successful. python -c "import wagtail; print(wagtail.<strong>version</strong>)"
Impact
Successful exploitation allows an attacker with low-level admin privileges to execute arbitrary JavaScript in the context of a higher-privileged user’s session. This can lead to unauthorized administrative actions, such as creating new admin accounts, modifying site content, or exfiltrating sensitive data. The integrity and confidentiality of the Wagtail CMS instance are at risk, potentially leading to full site compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

