GHSA-P5CM-246W-84JM
Vulnerability from github – Published: 2026-03-03 17:57 – Updated: 2026-03-05 22:49
VLAI?
Summary
Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes
Details
Impact
A stored Cross-site Scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock.
Patches
Patched versions have been released as Wagtail 6.3.8, 7.0.6, 7.2.3 and 7.3.1.
Workarounds
Site owners who are unable to upgrade to the new versions can remediate the vulnerability by setting a template attribute on all TableBlock definitions, referencing a template that does not output class attributes. For example:
<!-- For use with TableBlock(template="path/to/table_block.html") -->
<table>
{% if table_caption %}
<caption>{{ table_caption }}</caption>
{% endif %}
{% if table_header %}
<thead>
<tr>
{% for cell in table_header %}
<th scope="col">{{ cell }}</th>
{% endfor %}
</tr>
</thead>
{% endif %}
<tbody>
{% for row in data %}
<tr>
{% for cell in row %}
{% if first_col_is_header and forloop.first %}
<th scope="row">{{ cell }}</th>
{% else %}
<td>{{ cell }}</td>
{% endif %}
{% endfor %}
</tr>
{% endfor %}
</tbody>
</table>
Acknowledgements
Many thanks to Guan Chenxian (@GCXWLP) for reporting this issue.
For more information
If there are any questions or comments about this advisory:
- Visit Wagtail's support channels
- Email Wagtail at security@wagtail.org (view the security policy for more information).
Severity ?
6.1 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "6.4rc1"
},
{
"fixed": "7.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "7.1rc1"
},
{
"fixed": "7.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "7.3rc1"
},
{
"fixed": "7.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28222"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T17:57:18Z",
"nvd_published_at": "2026-03-05T20:16:15Z",
"severity": "MODERATE"
},
"details": "### Impact\nA stored Cross-site Scripting (XSS) vulnerability exists on rendering `TableBlock` blocks within a StreamField. A user with access to create or edit pages containing `TableBlock` StreamField blocks is able to set specially-crafted `class` attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user\u0027s credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock.\n\n### Patches\nPatched versions have been released as Wagtail 6.3.8, 7.0.6, 7.2.3 and 7.3.1.\n\n### Workarounds\nSite owners who are unable to upgrade to the new versions can remediate the vulnerability by setting a `template` attribute on all TableBlock definitions, referencing a template that does not output `class` attributes. For example:\n\n```django\n\u003c!-- For use with TableBlock(template=\"path/to/table_block.html\") --\u003e\n\u003ctable\u003e\n {% if table_caption %}\n \u003ccaption\u003e{{ table_caption }}\u003c/caption\u003e\n {% endif %}\n {% if table_header %}\n \u003cthead\u003e\n \u003ctr\u003e\n {% for cell in table_header %}\n \u003cth scope=\"col\"\u003e{{ cell }}\u003c/th\u003e\n {% endfor %}\n \u003c/tr\u003e\n \u003c/thead\u003e\n {% endif %}\n \u003ctbody\u003e\n {% for row in data %}\n \u003ctr\u003e\n {% for cell in row %}\n {% if first_col_is_header and forloop.first %}\n \u003cth scope=\"row\"\u003e{{ cell }}\u003c/th\u003e\n {% else %}\n \u003ctd\u003e{{ cell }}\u003c/td\u003e\n {% endif %}\n {% endfor %}\n \u003c/tr\u003e\n {% endfor %}\n \u003c/tbody\u003e\n\u003c/table\u003e\n```\n\n### Acknowledgements\n\nMany thanks to Guan Chenxian (@GCXWLP) for reporting this issue.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\n- Visit Wagtail\u0027s [support channels](https://docs.wagtail.io/en/stable/support.html)\n- Email Wagtail at [security@wagtail.org](mailto:security@wagtail.org) (view the [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).",
"id": "GHSA-p5cm-246w-84jm",
"modified": "2026-03-05T22:49:01Z",
"published": "2026-03-03T17:57:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28222"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/commit/4620423cb22c5253391a0f04178089c1162f6e2e"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/commit/575c0d7c18c7716ed73f7a3c2720ad75956f0a85"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/commit/605a5569686565e035313222e1bc2f9802fbc55b"
},
{
"type": "PACKAGE",
"url": "https://github.com/wagtail/wagtail"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/releases/tag/v6.3.8"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/releases/tag/v7.0.6"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/releases/tag/v7.2.3"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/releases/tag/v7.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Wagtail Vulnerable to Cross-site Scripting in TableBlock class attributes"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…