Wagtail, Stored XSS, CVE-2026-28223 (Medium)

Listen to this Post

CVE-2026-28223 is a stored cross-site scripting (XSS) vulnerability residing in the `wagtail.contrib.simple_translation` module . The issue occurs because the module fails to properly sanitize page s before including them in confirmation messages displayed after a user performs the “Translate” action . An attacker with access to the Wagtail admin panel can create a page containing malicious JavaScript within its . When a different, privileged admin user subsequently translates that specific page, the unsanitized is rendered in the translation confirmation view, causing the arbitrary JavaScript to execute in the victim’s browser . This execution occurs within the security context of the Wagtail admin, allowing the attacker to potentially perform actions using the victim’s credentials, such as modifying content or escalating privileges . The vulnerability does not affect standard website visitors, as it requires access to the admin interface to both plant and trigger the payload . Patches have been released in Wagtail versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, which properly escape the output .

dailycve form:

Platform: Wagtail
Version: <6.3.8,<7.0.6,<7.2.3,<7.3.1
Vulnerability : Stored XSS
Severity: Medium
date: 03/05/2026

Prediction: Already Patched

What Undercode Say:

Analytics:

Check installed Wagtail version
pip show wagtail | grep Version
Enumerate all pages with potentially malicious s in the database (example for PostgreSQL)
psql -d your_wagtail_db -c "SELECT id, FROM wagtailcore_page WHERE ~ '<script|javascript:';"
Check if the simple_translation module is in use
grep -r "simple_translation" your_wagtail_project/settings/base.py

Exploit:

An attacker with admin access creates a new page with a containing a malicious payload, such as: "><img src=x onerror=alert('XSS')>. They then socially engineer or wait for a higher-privileged admin to use the translation action on this specific page. The payload triggers when the confirmation message loads, executing in the victim’s session.

Protection:

Immediately upgrade Wagtail to the patched versions: 6.3.8, 7.0.6, 7.2.3, or `7.3.1` . As a defense-in-depth measure, strictly limit the number of users with admin panel access and apply the principle of least privilege. Regularly audit page s and other content fields for suspicious script tags or JavaScript event handlers.

Impact:

Successful exploitation allows an attacker to perform unauthorized actions within the Wagtail admin interface under the guise of the victim user . This can lead to unauthorized content modification, creation of privileged accounts, or data exfiltration. The attack is considered medium severity because it requires valid admin credentials for the initial payload placement and cannot be triggered by unauthenticated site visitors .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top